The goal of the project is to assess some aspects of the security of the chosen computer-based system. It is not necessary to find vulnerabilities in order to produce an excellent thesis report. The goal is, instead, to convincingly demonstrate whether the system is secure or not, given certain delimitations. Of course, a discovered vulnerability will demonstrate that the system in some respect lacks security, but a comprehensive exploration of a chosen attack surface can equally well demonstrate the opposite.

You can state your objective in the form of a research question: “Is device X secure against cyber attacks?”.

Note that you might want to delimit the research question if there are attacks that you know that you will not explore.