Virgin Media has told 800,000 customers to change their passwords to protect against being hacked.
An investigation by Which? found that hackers could access the provider's Super Hub 2 router, allowing access to users' smart appliances.
A child's toy and domestic CCTV cameras were among the vulnerable devices.
Virgin Media said the risk was small but advised customers using default network and router passwords to update them immediately.
A spokesman said: "The security of our network and of our customers is of paramount importance to us.
"We continually upgrade our systems and equipment to ensure that we meet all current industry standards.
"We regularly support our customers through advice and updates and offer them the chance to upgrade to a Hub 3.0 which contains additional security provisions."
The company said the issue existed with other routers of the same age and was not exclusive to their model.
The study, carried out in conjunction with ethical security researchers SureCloud, tested 15 devices -of which eight had security flaws.
In one case a home CCTV system was hacked using an administrator account that was not password protected. Hackers were able to watch live pictures and in some cases were able to move cameras inside the house.
Which? called for the industry to improve basic security provisions, including requiring customers to create a unique password before use, two-factor authentication, and issuing regular software security updates.
Alex Neill, Which? managing director of home products and services, said: "There is no denying the huge benefits that smart-home gadgets and devices bring to our daily lives.
"However, as our investigation clearly shows, consumers should be aware that some of these appliances are vulnerable and offer little or no security.
"There are a number of steps people can take to better protect their home, but hackers are growing increasingly more sophisticated.
"Manufacturers need to ensure that any smart product sold is secure by design."
Which? said it had contacted the manufacturers of the eight affected products to alert them to the security flaws.