Could this Bluetooth authentication bypass have been prevented?

Yes, implementing strong, default wireless authentication and robust access controls as part of secure IoT design and regular code reviews could have prevented this vulnerability.

Are there broader implications for the healthcare sector?

Yes, similar vulnerabilities across wireless medical devices could lead to widespread patient safety risks and regulatory scrutiny, highlighting the need for proactive IoT security.

Critical Bluetooth Vulnerability Exposes WHILL Medical Wheelchairs

Researchers uncover a critical Bluetooth authentication flaw in WHILL Model C2 and Model F wheelchairs, enabling attackers to remotely control these vital healthcare devices—prompting an urgent security update.

Published: January 10, 2026

Share this on:

Executive Summary

In December 2025, a critical IoT vulnerability (CVE-2025-14346) was disclosed in WHILL Model C2 Electric Wheelchairs and Model F Power Chairs, widely used in healthcare and public health sectors. Researchers discovered that these devices failed to enforce authentication for Bluetooth connections, enabling attackers within physical range to pair, take full control, issue movement commands, bypass safety restrictions, and alter configuration profiles with no user credentials required. The issue impacted all device versions, prompting emergency firmware mitigations from WHILL Inc. to restrict unauthorized access and manipulation.

This incident underscores urgent risks associated with the growing attack surface in medical IoT and connected healthcare devices. Increasing reliance on wireless interfaces heightens exposure to exploitation, mandating stronger security and authentication measures as the threat landscape evolves.

Why This Matters Now

As hospitals and care environments integrate more IoT-based mobility aids, any lapse in wirelessly enforced authentication instantly translates to real-world patient safety risks and potential regulatory non-compliance. Immediate action is required to secure healthcare IoT devices before attackers can exploit such critical trust gaps.

Attack Path Analysis

An attacker within Bluetooth range exploited missing authentication to pair directly with the wheelchair, gaining unauthorized control. Leveraging unprotected access, the adversary issued privileged movement and configuration commands. No lateral movement was required as compromise was direct, but internal device controls could potentially be manipulated further. Attacker maintained ongoing command channel over Bluetooth without obstruction, and although direct data exfiltration was not observed, configuration or usage data could be intercepted. Ultimately, unauthorized commands could alter safety controls or physically move the device, posing a high impact threat to patient safety and device availability.

Kill Chain Progression

Initial Compromise

Highinferred

Privilege Escalation

High

Lateral Movement

Lowinferred

Command & Control

Medium

Exfiltration

Low

Impact

High

Initial Compromise

Description

The attacker exploited the lack of Bluetooth authentication to directly pair with and access the critical controls of the wheelchair within wireless range.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2025-14346
CVSS 9.8
WHILL Model C2 Electric Wheelchairs and Model F Power Chairs lack authentication for Bluetooth connections, allowing attackers within range to control the device.
Affected Products:
WHILL Inc. Model C2 Electric Wheelchair – all
WHILL Inc. Model F Power Chair – all
Exploit Status:
no public exploit
References:
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-364-01

MITRE ATT&CK® Techniques

Initial Access

T1190

Exploit Public-Facing Application

Initial Access

T1078

Valid Accounts

Persistence

T1556

Modify Authentication Process

Discovery

T1040

Network Sniffing

Privilege Escalation

T1212

Exploitation for Privilege Escalation

Impact

T1486

Data Encrypted for Impact

Impact

T1499

Endpoint Denial of Service

Impact

T1490

Inhibit System Recovery

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS v4.0 – Strong Authentication for System Components

Control ID: 8.2.2

The lack of authentication for critical Bluetooth functions violates requirements to enforce strong authentication and prevent unauthorized access to systems that process or transmit sensitive transactions.

NIS2 Directive – Access Control Policies and Procedures

Control ID: Article 21(2)(d)

Missing authentication enables unauthorized users to control medical IoT devices, exposing critical infrastructure operators to systemic risks under EU NIS2 requirements for access management.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

Failure to implement technical controls to authenticate Bluetooth access indicates weaknesses in cybersecurity risk mitigation required by New York financial and healthcare entities.

CISA Zero Trust Maturity Model 2.0 – Verify All Access

Control ID: Identity Pillar: Authentication

Permitting unauthenticated control of physical IoT assets contradicts the zero trust principle to always validate and authenticate any device acting on protected resources.

DORA (Digital Operational Resilience Act) – ICT Risk Management Measures

Control ID: Article 9

Failure to enforce authentication controls increases operational and ICT risk, contrary to DORA's requirement for robust controls in critical systems affecting EU financial or healthcare resilience.

ISO/IEC 27001:2022 – User Access Provisioning

Control ID: A.9.2.2

Missing authentication and access control for Bluetooth-enabled medical devices breaches core ISO/IEC 27001 requirements for managed user and device access.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Health Care / Life Sciences

Electric wheelchairs with Bluetooth vulnerabilities expose patient safety to unauthorized control, violating HIPAA compliance and creating critical healthcare infrastructure risks.

Medical Equipment

IoT vulnerability in medical mobility devices enables remote exploitation without authentication, compromising device integrity and patient care delivery systems.

Individual/Family Services

Wheelchair control vulnerabilities threaten personal mobility independence, exposing vulnerable populations to unauthorized device manipulation and safety hazards within Bluetooth range.

Consumer Electronics

Bluetooth-enabled mobility devices demonstrate critical IoT security gaps, requiring zero trust segmentation and encrypted traffic protection for consumer safety.

Sources

WHILL Model C2 Electric Wheelchairs and Model F Power Chairshttps://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-364-01
Verified

Frequently Asked Questions

The breach exposed gaps in enforcing authentication for critical functions, violating security controls in HIPAA, PCI DSS, NIST 800-53, and ZTMM frameworks, particularly for device access and authentication.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Zero Trust segmentation, enforcement of strong intra-device traffic controls, continuous visibility, and anomaly/threat detection could have denied Bluetooth-based compromise, restricted attacker actions, and provided real-time alerting of anomalous access or unsafe commands in critical healthcare IoT scenarios.

Initial Compromise

Control: Zero Trust Segmentation

Mitigation: Access attempts from unauthorized or untrusted endpoints would be denied at the protocol or network layer.

Privilege Escalation

Control: Threat Detection & Anomaly Response

Mitigation: Rapid deviation from normal command patterns would trigger alerts and automated responses.

Lateral Movement

Control: East-West Traffic Security

Mitigation: Unapproved inter-module or intra-device communications would be blocked or tightly monitored.

Command & Control

Control: Cloud Native Security Fabric (CNSF)

Mitigation: Distributed inline policy would detect and disrupt persistent or covert C2 patterns.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: Outbound data flow from device is tightly restricted and monitored, preventing unauthorized data transfer.

Impact (Mitigations)

Critical unsafe or destructive actions prompt immediate alerts and possible automated mitigation.

Impact at a Glance

Affected Business Functions

Patient Mobility
Medical Equipment Safety

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

No data exposure reported.

Recommended Actions

• Enforce strong authentication and Zero Trust segmentation on all wireless and networked interfaces for IoT medical devices.
• Implement comprehensive east-west and workload-to-workload security controls to prevent unauthorized lateral access within device systems.
• Deploy real-time anomaly detection and incident response capabilities to identify unsafe or abnormal command sequences.
• Restrict and monitor all device egress traffic using granular policy enforcement to prevent data exfiltration or unsafe control communications.
• Establish centralized visibility and continuous monitoring to rapidly detect, alert, and respond to deviations from expected IoT device behavior.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Critical Bluetooth Vulnerability Exposes WHILL Medical Wheelchairs

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2025-14346

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Exploit Public-Facing Application

Valid Accounts

Modify Authentication Process

Network Sniffing

Exploitation for Privilege Escalation

Data Encrypted for Impact

Endpoint Denial of Service

Inhibit System Recovery

Potential Compliance Exposure

PCI DSS v4.0 – Strong Authentication for System Components

NIS2 Directive – Access Control Policies and Procedures

NYDFS 23 NYCRR 500 – Cybersecurity Policy

CISA Zero Trust Maturity Model 2.0 – Verify All Access

DORA (Digital Operational Resilience Act) – ICT Risk Management Measures

ISO/IEC 27001:2022 – User Access Provisioning

Sector Implications

Health Care / Life Sciences

Medical Equipment

Individual/Family Services

Consumer Electronics

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads