malicious javascript can only send packets on your rfc1918 network via a DNS rebinding attack, which is not trivial to pull off and is not very reliable
all of these iot devices use upnp to bypass the nat 'firewall'
Edit: Note that the example does try to do some DNS rebinding on the router, but that's the end goal. The attack itself doesn't rely on rebinding. It does require "already logged on to the router" users, but I suspect an attack using default login credentials is possible as well.
I'd like to see someone actually name & shame the devices involved. With evidence, of course.
I've had a quick poke around my house, and the couple of devices I have (wemo, philips hue) are holding pretty persistent outbound http connections - not dropping their trousers and exposing telnet.
Persistently exposed telnet sounds more to me like industrial control devices, network appliances, etc. But "IoT" is so vague that we're immediately jumping to blaming consumer devices.
Dahua. And then there are the Alibaba Chinese Hikvision cameras that generally can't be firmware updated. Seems like plenty of people port forward to their cameras as most of the camera forums say over and over to use VPN and not port forward.
all of these iot devices use upnp to bypass the nat 'firewall'