I call BS
EDIT: more detailed answer, in response to some of your comments on other messages.
All the system you describe are very different to each other. And all very secure.
I know that in movies, all it takes to hack a system, is a teenager with a geeky face, drinking red bulls, listening heavy metal and owning hundreds of super-heroes figurine. Real life is a bit different though.
No system can SWEAR that they have not a single breach. That is why you can't trust them too much. A breach can always be found (well, even that is not so sure. At least it is more theoretical than practical. In reality for simple enough system, we are sometimes 100% sure nobody will ever hack them. As you can guess, we are quite confident nobody can hack nuclear launch. Not because they are so advanced and sophisticated that they are not hackable, as they would say in movies. But, on the contrary, because they are so rudimentary and simple that there is no room for a breach)
But, well, let admit that for all technology you mentionned (phone, computer, smart tv, ...) we can't be sure there is no breach (as far as smart tv is concerned, I am even pretty sure that there is one. Those things are usually very poorly designed)
But there is a difference between "we can't be sure there is no breach", and "there is a breach". And then, another difference between "there is a breach", and "this breach has been found", and a difference again between "this breach has been found but fixed", and "this breach has been found and not yet fixed".
Each single hack you mentionned would be a HUGE story. If someone was able to take control, even of a smart tv, that would be a huge story.
And you are saying that someone was able to take control of every single one. And just for your boyfriend. Sorry, I don't buy it.
1. Nobody in the world (even the geekiest kid with the biggest red bull consumption and the most numerous figurines) can do all that.
2. If some was, he would target Donald Trump (for political purpose), ISIS, a bank. Not your boyfriend.
Understand that 99% of the hack you heard about in your life are social engineering. Hack of the democratic party? Someone just send an email to all responsible people, saying "I am in charge of auditing security, so I need to check every admin credential. Please send me your password" (or the 4 first characters of your password. That sounds more credible. And brute force can guess the rest). 99% of the recipient correctly ignored the request. But one didn't (reason why you should not give admin privileges to all people, whatever their hierarchical position, and however hard they asked)
Same goes for all famous hacks. Every celebrity who was hacked, was that way. We variants, of course (imitation of a famous cloud login banner; send an email with "hey, check this", which direct you to something that ask you to authenticate with your google account". 90% of the target will ignore, but you care only about the 10% who will fall in the trap)
The remaining 1% are real hack. But 0,99% among those 1% of the time, not from real hackers.
Just people who use a catalog of breaches, and apply them (or, more simply, use a software that does that for them. Just click on a button, and it tries all known breaches on a target). It almost never work, on serious target. But, there again, they target 1000 sites. If one fall, that is a good day.
If you own a website, check the log. A very important part of the traffic is just attempts for famous breaches. I get hundred of those each day. They are trying automatically on every random IP.
So, what is left is the remaining 0,01%. The real hacks. The cases where someone identified a hack that was not yet known, and exploit it. Which allows him to attack a very specific system (this version of this OS of this brand of smartphone) in a very specific way (not all hacks allow to take control. It can be spying, making fake phone calls, etc).
Almost all devices you mentioned use constant updates to fix all known breach. So, no one can count on that (if you are fast enough, you can exploit a breach, in the short period between the moment it has been identified - supposing it was published before the fix, which is almost never the case - and the moment it is fixed. But hacking a person specifically cannot be done that way. You have to wait for such a breach to be known, and act very fast. And there is no way those rare event, those rare window of time occur for all those devices almost at the same time)
So, we can rule out the second case (usage of well known breach for not yet updated devices)
So, that left us with only 2 very remotely scenarios (in addition to the only one practically possible : either you are telling BS to us, either your boyfriend is telling BS to you) :
1) Your boyfriend is the dumbest person on earth. Some one called him and asked him the password of his computer, asked him to perform very specific operation on his smartphone, to install some apps, to perform very specific operations (installing a firmware with an USB key) on his smart tv, etc, etc.
And hje just replied "yes, I'll do it" each time.
In other word, HE hacked his own devices, on the instructions of someone, not understanding what he was doing.
That is, indeed, always possible. You can hack everything if your victim agrees to help you to do so.
2) Your boyfriend was victim of the biggest hack of all history.
Someone found a new breach, and a new exploit, and decided to exploit it himself or herself. (0,01% scenario)
But instead of taking advantage of this huge exploit, he/she decides not to blackmail Apple, Samsung, Sony, and who every build smartphone, smarttv, gaming console, etc.
Not to sell this exploit to mafias, or spying agencies. Not to get a reward from companies for playing "white hat". Not to get famous in the security community and be hired by a bunch of companies. But instead, just to harrass your boyfriend.
And he did that not once, for 5 or 6 times, almost simultaneously, for all devices.
He/she found him/herself a rare breach in xbox one, and find a way to exploit it, and instead of selling it to microsoft, or blackmailing microsoft, or selling it to mafia, etc, he decided to hack your boyfriend xbox. Very unlikely, but well, possible.
But he/she also, at the same time, also found a rare breach in the iphone, and a way to exploit it, and instead of getting very famous, or selling it to apple, etc, etc, he/she hacked your boyfriend iphone.
And at the same time, he/she also found a rare breach in the samsung smart tv, and... you get it.
As far as your router hypothesis: yes, OF COURSE, obviously, someone who did all that also had to hack the router (which is, again, another huge exploit). That is not the explanation why he also found a breach is all the devices. As someone else said, hacking the router do not give access to things plugged to it.
But that is a necessary step. There is no way you can hack the smarttv before you previously hacked the router.
So the router thing is not an easier path than the one I've described. It is, on the contrary, an extra obstacle on the path: yes, indeed, even if you found the same day a rare exploit for hacking xbox, another for hacking samsung smart tv, etc, you would need to also hack your boyfriend router to be able to use it.
So, sorry, that is really, really, really impossible. Even if the Chinese government is after him, they won't be able to do that.
And I haven't even talked yet about the claim that the phones of the visitors were also impacted.
You know, wikileaks (and other things like that) learned us two different things
1) Government are spying far more than they should. NSA is spying everybody, even head of states.
2) The method they have to use to do so prove that even NSA is helpless in front of most security.
They tried to standardize their own open source crypting algorithm (with a backdoor in it), in the hope that it would be adopted by some open source system. It didn't work (the weakness was spotted by community). And the good news is that, if they did so, it is because they simply can't bypass other encryption algorithm.
They had to steal phones, to bug them, to spy head of state phone calls. Because, they cannot simply remotely take control of them.
Even FBI needed monthes to bypass the loosy "4 digits" security code of the san bernardino shooter. And that was the easiest situation possible (they had the phone !!). They probably didnot really bypass it, and read directly the data in the ships.
So, bottom line : in movies all is possible.
In real life, it is like winning the loto: it can happen. It happens even quite frequently. Every weak someone does. But you cannot just decide to make it happen, even if you are very good at it. And even less decide to make it happen 6 different times the same week.
Hence the reason I've called BS in the first place.
Again, either you are trolling us (I don't believe you are, but that is a possibility. If you are, congratulation. You managed to obtain this huge answer from we, which is what troll want)
Either your boyfriend is telling you some BS. I don't know why. Probably to hide something, or to find an excuse. Maybe he just started with a small lie to find an excuse for not calling you back a day. And is now trapped in his own lie, and had to make it huge.
But that is just not possible.