Samsung says your SmartTag location is private and protected by rotating IDs that change every 15 minutes. But security researchers found that an attacker can extract a secret key from the tag that lets them decode ALL those rotating IDs — forever. This means someone who gets close to your SmartTag once could track it indefinitely, defeating the privacy protections Samsung advertises. Samsung says it respects your privacy and gives you control over your data. But buried in the same privacy policy, Samsung admits that sharing your data with business partners "may be considered a sale" under privacy laws — in other words, Samsung is selling your personal information for advertising. They also buy data about you from data brokers. And if you want to delete your data, the process is so complicated that reviewers say you practically need a computer science degree to figure it out.
What they claim: Samsung markets the SmartTag 2 as a simple item finder — "find your stuff easily" — requiring the SmartThings app. Samsung's product page emphasises basic tracking functionality: lost item alerts, location history, and AR finding.
What we found: The SmartThings companion app (com.samsung.android.oneconnect) requests 218 permissions total, including 30 dangerous/special permissions. Beyond what a tracker needs: RECORD_AUDIO (microphone access), CAMERA, CALL_PHONE, READ_CONTACTS, READ_PHONE_NUMBERS, READ_PHONE_STATE, ACTIVITY_RECOGNITION (physical activity monitoring), ACCESS_BACKGROUND_LOCATION (continuous GPS tracking even when app closed), QUERY_ALL_PACKAGES (inventory all installed apps), WRITE_SETTINGS, and BLUETOOTH_PRIVILEGED. A simple item-finding tag should not require the companion app to access your microphone, camera, phone calls, contacts, and activity patterns.
What they claim: Samsung states SmartThings Find uses encrypted, anonymous data and that "a device's location data is only shared with other people with the user's permission." Samsung claims offline finding is secured by Samsung Knox, their "defense-grade security platform."
What we found: Security research (Springer 2025) found Samsung SmartTag designs lack secure boot, leaving them vulnerable to firmware modification. Off-the-shelf tools like Flipper Zero and Blade-RF can disrupt communication between SmartTags and paired devices. The GitHub Samsung-SmartTag-Hack project demonstrates firmware dumping through fault injection attacks. Despite Samsung marketing Knox as "defense-grade" security, the tracker hardware itself has no secure boot, no firmware integrity verification, and is vulnerable to physical attacks with consumer-grade hacking tools.
What they claim: Samsung states that SmartThings Find "encrypts user data" and the network anonymously detects missing devices. Samsung's product page emphasises that only the owner can see the tag's location.
What we found: All SmartTag location data transits through Samsung's cloud infrastructure (api.smartthingsfind.samsung.com, analytics.samsungknox.com, log-ingestion.samsungknox.com). Samsung collects analytics data from Knox platform. Despite encryption claims, Samsung's centralised architecture means Samsung itself has access to all location data flowing through its servers. Samsung's privacy policy admits sharing data with law enforcement via subpoenas and court orders — meaning the "only you can see" claim has a significant asterisk. The hardcoded analytics and log ingestion endpoints confirm continuous telemetry collection beyond what is needed for basic item finding.
What they claim: The SmartTag 2 is a Bluetooth/UWB tracker with no Wi-Fi, no microphone, no camera, and no speaker beyond a basic alert chirp. The device hardware is minimal by design.
What we found: Despite the hardware having no Wi-Fi, microphone, or camera, the required SmartThings companion app requests RECORD_AUDIO (microphone), CAMERA, CALL_PHONE, ACCESS_WIFI_STATE, CHANGE_WIFI_STATE, CHANGE_NETWORK_STATE, and MODIFY_AUDIO_SETTINGS. The app also includes Microsoft Visual Studio App Center Analytics tracking. These permissions and trackers serve Samsung's broader data collection interests rather than the SmartTag's actual capabilities. The app is a shared platform for all SmartThings devices, meaning SmartTag users are forced to grant permissions intended for cameras, speakers, and other devices they may not own.
What they claim: Samsung privacy policy states: "We respect your concerns about privacy" and emphasises user control over data. SmartThings privacy notice states users can manage their privacy settings and opt out of data collection.
What we found: Samsung's own privacy policy explicitly states that data sharing with subsidiaries, affiliates, business partners, wireless carriers, and data analytics providers "may be considered a sale under certain state privacy laws." Samsung sells identifiers and online activity for "cross-context behavioral advertising purposes" and obtains data from "data brokers" and "online advertising networks." Mozilla's review found the data deletion request form is "nearly impossible without a computer science degree." Samsung's stated respect for privacy is contradicted by its own admission of selling user data.
What they claim: Samsung provides "Unknown Tag Detection" as an anti-stalking feature, presented as a safety measure to protect users from unwanted tracking by SmartTags placed without their knowledge.
What we found: Academic research ("Stop Following Me!", arxiv:2312.07157) found: (1) Unknown Tag Detection must be manually activated in SmartThings settings — it is not on by default. (2) In testing, the SmartThings app failed to detect Galaxy SmartTags tracking users. (3) Non-Samsung phone users have no native detection capability — they must install a separate app. (4) Only Galaxy phone users with SmartThings installed AND Unknown Tag Detection manually enabled receive alerts. The anti-stalking protection Samsung advertises requires users to know it exists, find the setting, and enable it — making it ineffective for most potential victims.
What they claim: Samsung markets the SmartTag 2 as safe for families, including for tracking children's belongings. SmartThings app allows creating child accounts to share device access within family groups.
What we found: Samsung's privacy policy permits collecting from child accounts: videos, images, geolocation, health information, calls, and messages. This data is used for broadly defined "business" purposes including "developing new products" and is shared with "business partners" and third-party app operators. The SmartThings app requests ACTIVITY_RECOGNITION, ACCESS_BACKGROUND_LOCATION, READ_CONTACTS, and READ_PHONE_NUMBERS — meaning Samsung can track a child's physical activity, continuous location, contacts, and phone numbers, far beyond simple item tracking. Mozilla rated this children's data collection as a critical concern.
What they claim: Samsung claims SmartThings Find data is encrypted and user location is not revealed to anyone except the owner. Samsung states device IDs rotate every 15 minutes and location data is anonymised.
What we found: Security research (arxiv:2210.14702) found that SmartTag firmware v1.02.06 accepts Just Works BLE pairing, allowing attackers to extract the Identity Resolving Key (IRK). The IRK is persistent across reboot and account switching, enabling attackers to resolve all rotating Resolvable Private Addresses (RPAs) and track the physical tag indefinitely. The 15-minute ID rotation is rendered meaningless when the IRK is compromised. Additionally, the advertising counter accepts data older than 7 days, undermining replay attack prevention.
What they claim: Samsung's privacy policy contains CCPA/GDPR compliance sections asserting user rights including data access, deletion, and opt-out of data sales. Samsung states users can "opt out of targeted advertising and data sales."
What we found: Mozilla's Privacy Not Included review found Samsung's data deletion request form is "nearly impossible without a computer science degree." User rights are tied to "subject to applicable law," making them non-universal. Samsung has multiple overlapping privacy policies across different websites with conflicting information, making it nearly impossible to determine which policies apply. Samsung's track record includes: 190GB stolen by Lapsus dollar sign gang (2022), sensitive data leaked to ChatGPT by employees (2023), UK customer data breach (2020). The privacy rights Samsung promises are undermined by poor security practices and deliberately complex opt-out mechanisms.
What they claim: Samsung states that SmartThings Find is opt-in and that users can control whether their Galaxy device participates in the offline finding network. Samsung support page states: "You will be given the opportunity to opt in to several features."
What we found: Samsung's own documentation confirms SmartThings Find is automatically activated when a Samsung account is registered on a Galaxy device. Users are not presented with a separate opt-in for participating in the crowd-sourced tracking mesh — their phone immediately begins scanning for and relaying SmartTag locations. Over 300 million Galaxy devices participate as passive BLE scanners. Galaxy phone owners are unwitting nodes in a global tracking infrastructure without having given explicit consent specifically for this relay function.