Your Samsung fridge has three cameras inside that automatically take photos of your food every time you close the door. These photos are uploaded to Samsung's servers for AI analysis. Most people buying a refrigerator would not expect it to photograph them and their food. The Samsung Food app that connects to your fridge's cameras contains 9 tracking tools including advertising networks from Facebook, Google, and TikTok's parent company ByteDance. Your food and eating habits may be shared with these advertising companies.
What they claim: Samsung's privacy approach page states: "The data you provide is secured with industry-standard encryption to help protect your information" and positions data collection as user-initiated.
What we found: The Family Hub contains three 2-megapixel cameras that automatically photograph fridge contents every time the door closes. SmartThings Privacy Notice confirms collection of "images recognized as food and taken when you open and close the refrigerator door." This automated surveillance happens by default in a kitchen appliance — consumers buying a refrigerator do not expect it to photograph their food and upload images to Samsung's cloud.
What they claim: Samsung's privacy approach page states Samsung is committed to providing "transparency about the data we collect" and that customers can control how data is used.
What we found: The SmartThings companion app (v1.8.21.28) requests RECORD_AUDIO, CALL_PHONE, READ_CONTACTS, READ_PHONE_NUMBERS, and READ_PHONE_STATE permissions. For a refrigerator companion app, microphone recording, phone calling, and contact reading capabilities far exceed what is needed to check fridge temperature or view food photos. The app also requests QUERY_ALL_PACKAGES which lets it inventory every app installed on the user's phone.
What they claim: Samsung's privacy approach says Samsung provides "transparency" and "options to limit" data collection.
What we found: The Family Hub has 2 built-in microphones for Bixby voice assistant. SmartThings Privacy Notice states "voice commands" are "relayed through SmartThings servers for processing." The SmartThings app requests RECORD_AUDIO permission. The fridge is placed in kitchens — one of the most private spaces in a home — and has always-listening microphone capability. Combined with food photography, this creates comprehensive kitchen surveillance: what you eat, when you eat, what you say while cooking.
What they claim: SmartThings Privacy Notice states data is retained "as long as it is needed to provide you with the Service" with no specific maximum period.
What we found: The fridge captures food images every door open/close, collects temperature data, usage duration, and function selections continuously. The CCPA disclosure does not specify maximum retention periods for any data category — food photos, voice recordings, or usage telemetry. Unlike SimpliSafe (30 days for video, 6 months for audio), Samsung provides no concrete retention timeline. This means food consumption patterns could be retained indefinitely, building years of dietary surveillance.
What they claim: The Family Hub is a stationary kitchen appliance that does not move. It connects to home Wi-Fi at a fixed location.
What we found: The SmartThings app requests ACCESS_BACKGROUND_LOCATION, ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION (persistent GPS tracking even when app is closed), and ACTIVITY_RECOGNITION (physical activity detection — walking, running, cycling). A refrigerator is a fixed appliance — it never moves and doesn't need to know if you're walking or cycling. These permissions exist solely to track the human using the app, not to operate the fridge.
What they claim: Samsung markets Family Hub as a kitchen management center for "meal planning, grocery shopping, and family coordination."
What we found: The Family Hub includes SmartThings hub functionality, meaning it can see and control other connected devices in the home — lights, locks, cameras, thermostats. The fridge connects to api.smartthings.com, graph.api.smartthings.com, and push.samsungosp.com. SmartThings Privacy Notice confirms collection of data from all connected devices including "device model, name, settings, sensor and configuration data, error and malfunction logs, usage information, IP address, and device identifiers." A refrigerator becomes a surveillance hub for the entire smart home.
What they claim: Samsung positions the Family Hub as a "family management" tool that helps with meal planning, recipes, and grocery lists. Samsung's privacy page states they provide ads "customized to your interests" with options to limit ad types.
What we found: Exodus Privacy analysis of the Samsung Food app (com.foodient.whisk v2.52.1) reveals 9 trackers including Google AdMob, Pangle (ByteDance/TikTok ad network), Facebook Analytics, Facebook Login, Facebook Share, and IAB Open Measurement. The app also requests ACCESS_ADSERVICES_CUSTOM_AUDIENCE and ACCESS_ADSERVICES_TOPICS permissions. A food and recipe app connected to your refrigerator's cameras is sharing data with advertising networks including one owned by ByteDance (TikTok's parent company).
What they claim: SmartThings Privacy Notice mentions data is shared with "subsidiaries and affiliates" and "business partners who control and manage your personal information."
What we found: Samsung account links fridge data with data from Samsung TVs, phones, tablets, and watches. The SmartThings app requests ACCESS_BACKGROUND_LOCATION, ACCESS_FINE_LOCATION, and ACTIVITY_RECOGNITION — tracking where you go and what physical activities you do. Combined with fridge camera data (what you eat), TV data (what you watch), and phone data (who you call), Samsung can build a comprehensive behavioral profile. The privacy policy admits to providing "advertisements customized to your interests" using this data.
What they claim: Samsung states: "The data you provide is secured with industry-standard encryption to help protect your information."
What we found: Pen Test Partners demonstrated at DefCon 23 (2015) that the Samsung RF28HMELBSR smart refrigerator failed to validate SSL certificates when connecting to Google's servers, enabling man-in-the-middle attacks. Anyone on the same Wi-Fi network could steal Gmail credentials used for the calendar display feature. CVE-2018-16262 later showed Tizen's package manager had improper D-Bus security allowing unprivileged code installation (CVSS 8.8 HIGH).
What they claim: Samsung's privacy approach page states they are committed to protecting customer data with industry-standard security.
What we found: Security researcher Amihai Neiderman discovered over 40 zero-day vulnerabilities in Tizen OS in 2017, describing the code as potentially "the worst code I've ever seen." Tizen OS runs on the Family Hub refrigerator. CVE-2018-16262 (CVSS 8.8 HIGH) allows unprivileged package installation on Tizen devices. CVE-2023-41270 shows WPS authentication issues persist as recently as 2023. A kitchen appliance running an OS with this many documented vulnerabilities creates serious security risks — the fridge stores Samsung account credentials, Google credentials, and photographs private spaces.