So I do agree on the attack vector thing, I stated it overly strong in some ways =).While I agree with the sentiment it should be bounds checked, the attack vector is a bit far - as you can of course turn the volume way, way up too without authentication.
This is ultimately the problem with internet connected devices, its just in most cases features are not exposed that can seriously break stuff. AVP/R's have a few features that make that pretty easy to do and those features are required.
The system should do the bounds checking in the API so the API rejects any out of bound values.
Honestly I feel that monoprice should implement a user and password for the web interface. There should be some sort of authentication required before you can execute commands.