Source?? I'm quite certain that it's much harder to exploit something that you can't even send a TCP packet to. If the device is only directly connected to the hub (amazon/google/apple box) and the hub is only connected to the cloud service, how would you even send a payload to the device, even if an exploit existed?

You could exploit the cloud service directly and gain control of the device, but that's like stealing the security guard's master keys - you can't call that a vulnerability in the door lock, can you?