I've been working now awhile on my
Onkyo Qt ISCP library and there is one not so funny thing about the protocol. There is no authentication or authorization whatsoever. So basically if you happen to be on the same network as a networked Onkyo you can do whatever you like.
From the not-too-bad: Change radio channel, switch input
To the not-so-nice: Turn the volume up as high as it goes, stream something nasty
Even the device setup web interface is open to everyone.
So don't put a networked Onkyo on a public IP and keep it on a private network that no outsiders can access.