The National Cyber Security Centre (NCSC) is advising people to tweak the settings after buying them.
Easy-to-guess default passwords might let a hacker secretly observe a home through connected devices, it said.
The NCSC's technical director, Dr Ian Levy, warned while the devices were "fantastic innovations", they were vulnerable to cyber-attackers.
There are many examples of devices being accessed without permission.
In one, the attacker spoke to a young girl, pretending to be Father Christmas.