Sure is.
The IoT devices come in many configurations, some burned in and some changeable. If they have a persistent Linux OS installed the ability to download an exploit would be easy. Many come configured with the name "admin" and the password "admin", or something similar. The mfgrs expect the user to login into their device via an HTML interface much like that on a wifi router and change the admin name and password. Most do not.

There is a tool that allows you to search for a variety of online devices, including IoT's. It is called shodan. With it you can search for specific devices (not just IoT's) and/or specific ports. A mediocre video which demonstrates some of Shodan's abilities is here. You can sign up for free. Searches will allow you access to TWO pages of results. If you want more you have to pay.

It shows unsecured webcams in and around people's homes, printers connected to routers, and even computers setting at a login screens, especially if they are using a cable and not the wifi. You could be watching someone log in and use his computer without him knowing about it. So, if Shodan is available to ordinary users like you and I, how powerful do you think the tools used by government hackers are?


EDIT:
If you want to play with shodan on your CLI then you'll need to create an account and then get your api_key. Store it in a file. Then install python-pip from the repository. Then

pip install shodan

When it is done it will tell you that your pip is out of date and to do

pip install --upgrade pip

to install the latest version, 10.1.

Then you have to initialize shodan

shodan init (your api_key here)

You can see the basic commands with

shodan --help