The Internet of Things has changed the way we interact with the environment around us in our daily life, and it is increasingly common to find more than one IoT device in our home. However, the current design approaches adopted by the vendors are more oriented towards customer usability than to security. This often results in more and more devices exposing serious security problems. This work focuses on the security implications, i.e. the threats and the risks, of the current IoT pairing mechanisms and represents a step forward in the definition of our automated penetration testing methodology. In addition to the general threat model for a general IoT pairing process, we present the analysis of a QR code-based pairing mechanism implemented by a class of devices taken from the real market, which led to the identification of two vulnerabilities, one of which publicly disclosed as CVE-2021-27941
