Matt Kunze, a security researcher found a way for attackers to spy on Google Home speakers using Routines. Routines are a way to execute multiple commands at once, like “Hello Google, good morning” which could turn on the lights and read you the weather.
Using a rooted phone with Magisk and man-in-the-middle tools he found a way to link his own Google account to a nearby speaker by sending deauthorization packets.
With access to the speaker, he used Routines to run commands such as “call [phone number]” to send the microphone feed to a phone number. He can also make arbitrary HTTP requests within the victim’s LAN (which could potentially expose the Wi-Fi password or provide the attacker direct access to the victim’s other devices)
After reporting this on the 8th of January 2021, Google fixed this issue in April and rewarded him with $107,500 in May 2022.