The Internet of Things keeps growing, with lightbulbs, smart switches, connected clocks, smart speakers, wireless shoes, connected appliances, and basically anything that can throw a chip in has.
A large chunk of these, the only security you have is your WiFi connection password. They accept commands from anywhere as long as it can connect directly to them, which usually means from within the same network. Really, you’re not putting IoT with live IPs out there unless you’re really wanting to attract an attacker.
In the past separating IoT from your network was difficult – TVs had to be on the same network for apps to work, Chromecast and Home had to be in the same segment, etc. That’s generally gone away as the programming has gotten better.
Your big concern here is getting a hacked lightbulb that sits around doing its job until a hacker decides it’s time to start looking at everything on your network through a remotely-controlled mini linux distro (your lightbulb) – sniffing packets, looking for security holes on your computers, running exploits until one works. Yeah, your lightbulb can do all of that.
What it can’t do (easily,) is jump network to network if it doesn’t have a password. And that’s why, if you can, you put all your IoT on their own little network and you keep your computers and any devices that are actually theoretically secure on another.
And if you further can, enable network isolation so no IoT device can talk to or scan any other IoT device without talking to a central server. This doesn’t work with some dim bulbs however,
Every IoT is a seldom patched linux distro sitting there waiting… waiting… all the time for something.