Holy shit the article is far less tame than the title. They provided several ways to run commands as root and they can be generated as an over-the-air HTTP call. As per the article, if you buy the Jooki domain, it's very likely you can control every single Jooki on the market. You can make the speaker do whatever you'd like. Pretty scary stuff. One has to wonder what nerds can do with that kind of tech: turn speakers into a low quality mic? Use them as bots for a DDoS attack? Just start blasting heavy metal music? Or just brick every device?
It's pretty wild what the devs have done here. I can excuse executing commands as root from a file on the SD card. It's not exactly safe or smart but it's also not the most dangerous thing to assume only people with access to the device would do that. Hardly a worry for most parents as long as you're not especially reckless. But to allow OTA root level commands to be run? That's a horrible design. At least setup a user that can only execute a few pre-designed scripts. Don't just give them carte blanch to run havoc on your hardware.
Just another reminder that every wifi enabled device is likely a ticking timebomb. Especially low quality devices meant for kids. Baby monitors, speakers, etc. have a history of being built cheaply and poorly. That's why I bought non-wifi baby monitors for my family.