Rapid7 did an IoT security study of baby monitors, that’s currently being covered by the Verge and a lot of other news sites today.
The results were abysmal. Eight of the nine cameras received a failing F, while the other received a D. The security failures included a number of known vulnerabilities, including transmitting video and sending data to servers without encryption. Many of the connected devices also had built-in passwords that could be guessed (or worse, published) by the attacker, a long-standing concern in embedded devices.
http://www.theverge.com/2015/9/2/9241661/baby-monitors-vulnerable-hacking-patch-zero-day
https://www.rapid7.com/resources/iot/index.jsp