I'm not convinced that it needs to be internet controlled. Hopefully it uses protocols like BLE or Zigbee requiring proximity. That way such an attack would require being physically near the device.
Zigbee devices can form mesh networks. That means viruses on them can form mesh networks. If, in addition to your Zigbee-only home automation gear, you've got a zigbee-enabled internet-enabled hub of some kind, you can get comand-and-control into the network from anywhere in the world. So much for proximity. I worked briefly in a SCADA-adjacent space a decade ago, and people were delivering PoCs back then.
IoT is a raging tirefire. It's hard to even imagine how bad the security situation is.
