The thing is, there's no such thing as not connected to the internet. If someone can get to your router and open a port, then anything he wants connected is connected. Probably lots of routers have UPnP router configuration enabled, so all it takes is running one program, that you'd probably never realize was bad since it wouldn't do anything obvious. It could open up various ports for direct incoming access.
For that matter, don't a number of the major sleazy theft programs out there like emule and freenet and such use UPnP to open ports while the program is open? If so, that means that those folks who allow that, figuring it's a good thing if it lets them steal stuff, will have enabled that functionality on their routers if it wasn't on by default. And of course that's exactly the kinds of programs that would be ripe for getting you to run something dangerous as well. If you have any teenagers ever on your network, you should probably assume these types of things are going on and that they will run almost anything they can download.
I geuss that those incoming packets are not going to be local subnet packets, right? If so, one simple thing to do is to have these devices refuse any packets not for the local subnet. But companies selling individual devices are likely not to do that because they want to claim you can use some simple phone app to talk directly to the device, not requiring an automation system. So they'd have to accept network packets, presumably?