> You're one decent security flaw (in an IoT device no less) from anybody having a microphone in your house.
Many people already have Android smartphones, so there is already a Google microphone in your house. The big difference is that you know that it has a microphone.
Which of course makes a big difference. We are all adults. We can weight pros and cons and then make an informed decision. Not so if we don’t know all the details. This is what you’re betting on when leaving “details” like this out.
Lots of technology now incorporates the idea that people are better not given too many choices. DRM/trusted computing, root-locked phones, software and operating systems that decide what information they send where, without any explicit consent or choice to disable.
The smartphone requires a battery, which drains away noticeably if it is sending all your conversations. The Nest is connected to the house power, so it can stream audio non-stop.
Additionally a user is likely to pay a lot more attention to their phone than to their Nest devices. A compromised Nest device will likely stay compromised until Google find the exploit...
A malicious actor could easily conceal their activity by making 24-hour-long recordings and sending them in the night (or whenever connected to WiFi and plugged into power).
The main trick smartphones use to have their battery last long enough, is to power off every piece of hardware that's not in use, for as long as possible. Doing a 24-hour-long recording would require the main CPU to be awake far more often than usual (and in fact, I would suspect it would have to be pretty much constantly awake, unless the phone had a large dedicated hardware buffer for the recorded audio samples).
Not to mention, that Android phones seem to pick up "ok google" activation pattern from random conversations, and start sending voice to Google's servers for speech-to-text processing. Even after repeated attempts to find and turn off voice activation from settings.
While true, the upgrade situation for Android is way better than for most IoT devices, which is saying something. And this is the sort of thing you may well keep for a decade. While you may still have other Google microphones, I would be a lot more worried about this one specifically being vulnerable at some point.
Many people already have Android smartphones, so there is already a Google microphone in your house. The big difference is that you know that it has a microphone.