Comment by jeroenhd

Aside from one or two very bad Bluetooth and WiFi bugs (the worst ones usually being device-specific driver bugs), Android's OS itself actually doesn't have a huge external attack surface. Even if you do break in, the SELinux security mechanisms are a major pain to break through, especially with many devices running model-specific configurations.

The real risk of running old Android versions is that apps can escalate privileges or even get root access because of sandbox bypasses. As long as the pre-existing apps on there are updated against vulnerabilities, it's not easy to break into these things.

If it were, enabling ADB access on these things wouldn't be such a big deal, after all!

The mere concept of having Facebook install a camera into your home should be enough for anyone not to want these devices in their homes (with stock firmware). The hardware is very nice but the software cannot be trusted.