You don't need to exploit sensors. If a compromised device is connected to the internet (because the vendor app requires it to set up and control), you can use it as a part of botnet with a nice residential IP address.