And here's where the fly dives into the ointment. The cloud service your app talks to had a bunch of vulnerabilities that allowed any Tom, Dick, and Harry to anonymously get access to the device and user database. It let researchers unlock the door:
Emphasis in the original.
Oh, for added coolness, the Shodan search tool will identify all of these, worldwide.
The vendor has fixed the cloud service so this can't be exploited, but my original point remains - any woodpecker that stumbles by could have opened your front door. We only know about this because the White Hat guys at Tripwire took a look. Who else has a product like this where nobody has taken a look?
Now think about the "peaceful protesters" coming into neighborhoods to "peacefully protest" outside people's homes. These "peaceful protesters" have a bunch of mal-adjusted sociopaths who look to me like some of the Black Hat guys we've seen in the past. What are the chances that some Antifa d00d can get a lot of status on the Island of Misfit Toys by figuring out what people could be targeted for a living room serenade?