“GlobalData’s Internet of Things report outlines that the fragmented security standards landscape and the weak security of many internet of things (IoT) devices could hold back further adoption of the technology. Furthermore, it suggests that existing IoT deployments could become a security risk due to the current state of affairs.”
Way too many IoT devices have no real security (they don’t get updates and patches, they freely call out onto the Internet, sometimes have no login security, use weak security standards, etc).
It’s partly because they are cheap devices and do not adhere to any strict security compliance.
So whilst many users have a firewall turned on for their router, that usually only blocks incoming traffic. These IoT devices can still freely establish links with the outside world, and if compromised, could end up creating a bridge to everything else on the LAN behind the firewall.
Which is why I went to quite a bit of trouble to isolate my IoT devices onto their own VLANs. If you do not have the hardware to configure VLANs for them, at least ensure they are connected to your guest network, and that the guest network is isolated from the main LAN network (there is typically a toggle setting for that).
See https://www.verdict.co.uk/critical-concerns-about-internet-of-things-security