The problem isn't with any individual smart home device, but with the HomeKit protocol itself.
A zero-day security vulnerability discovered in Apple's HomeKit app in the current version of iOS 11.2 would allow attackers to gain unauthorized control of Internet of Things devices connected via the application, 9to5Mac reported.
It's a hole in the software that lets any outside party control HomeKit accessories, which can range from lights to door locks.
That fix will not require any user action; it is being applied server-side-though it may result in some functionality issues for users.
As a side note: this latest watchOS upgrade also provides peer-to-peer payment capability through Apple Pay, but it will only work on Apple Watch when the wearable is paired with an iPhone running iOS 11.2. Earlier versions of iOS aren't affected.
Apple has another security issue to deal with. The fix temporarily disables remote access to shared users, which will be restored in a software update early next week.
After last week's release of an out-of-cycle emergency fix for a critical macOS High Sierra bug that allowed easy root access, the macOS update released yesterday (December 6) carry fixes for 22 vulnerabilities. Just be sure to install the iOS update when it's released in order to regain the reduced functionality.
The existence of the vulnerability isn't necessarily damning for HomeKit as a product, but it does raise questions for users as to how much they should trust to the application.