Why bother.
Finding flaws in IoT tat is like shooting fix in a barrel with a howitzer.
All IoT kit should be labelled as a privacy and security risk and only allowed to be connected to the internet if the vendors are legally responsable for updating for at least 5 years.