Executive Summary
In January 2026, cybersecurity researchers revealed significant security flaws in WHILL's electric wheelchairs, which allowed attackers within Bluetooth range to remotely pair with the device due to the absence of authentication controls. This flaw enabled malicious actors to take control of the wheelchair, manipulating its movement, speed settings, and configuration profiles without requiring any credentials or user interaction. CISA subsequently issued an advisory highlighting the risk, underscoring that such vulnerabilities could result in dangerous, unauthorized maneuvers or override critical safety restrictions, potentially jeopardizing user safety and privacy.
This incident exemplifies the escalating risk represented by insecure IoT medical devices, especially those operating in public or semi-public settings. With threat actors increasingly targeting Bluetooth-enabled endpoints and the medical IoT landscape expanding rapidly, similar vulnerabilities are likely to be discovered in other transportation and assistive devices, putting regulatory and patient pressures on device manufacturers and healthcare providers.
Why This Matters Now
Unprotected Bluetooth connectivity in medical IoT devices poses an urgent patient safety risk, especially as the use of internet-connected assistive devices expands. Recent demonstrations and advisories show that attackers exploit even localized wireless channels if security best practices—like authentication and traffic encryption—are absent.
Attack Path Analysis
An attacker within Bluetooth range initiated an unauthorized connection to a wheelchair lacking Bluetooth authentication, which enabled remote control access. With effective compromise, the adversary manipulated device settings and gained full operational capability. No significant privilege escalation was required due to the absence of authentication; however, broader access to multiple devices could be attempted through similar flaws. The attacker issued remote commands to the wheelchair, maintaining control through the Bluetooth channel. While traditional data exfiltration was minimal, system configuration or telemetry could theoretically be extracted over unsecured Bluetooth. The ultimate impact was direct: the adversary could manipulate, override, or disable critical safety controls, putting users at risk.
Kill Chain Progression
Initial Compromise
Description
Attacker established a Bluetooth connection to the wheelchair without authentication, exploiting the lack of enforcement to gain remote access.
Related CVEs
CVE-2025-14346
CVSS 9.8WHILL Model C2 and Model F electric wheelchairs lack authentication for Bluetooth connections, allowing unauthorized remote control.
Affected Products:
WHILL Model C2 – All versions
WHILL Model F – All versions
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Attack techniques mapped from observable behaviors and control weaknesses; STIX/TAXII expansion possible in future releases.
Exploit Public-Facing Application
Brute Force: Single-Factor Authentication
Hardware Additions
Create Account
Process Injection
Data Destruction
Endpoint Denial of Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Users and Devices
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Information Security Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 9
CISA ZTMM 2.0 – Access Control Mechanisms
Control ID: PR.AC-1
NIS2 Directive – Access Control and Asset Management
Control ID: Art. 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Health Care / Life Sciences
IoT wheelchair vulnerabilities expose critical medical device risks requiring HIPAA compliance, zero trust segmentation, and encrypted traffic protection for patient safety.
Medical Equipment
Bluetooth authentication failures in medical devices demand enhanced threat detection, anomaly response, and inline IPS protection to prevent unauthorized remote control.
Consumer Electronics
Widespread IoT device vulnerabilities necessitate multicloud visibility, egress security enforcement, and cloud native security fabric deployment across connected device ecosystems.
Transportation
Remote wheelchair hacking demonstrates critical need for east-west traffic security, Kubernetes protection, and secure hybrid connectivity in mobility assistance technologies.
Sources
- Hacking Wheelchairs over Bluetoothhttps://www.schneier.com/blog/archives/2026/01/hacking-wheelchairs-over-bluetooth.htmlVerified
- WHILL Wheelchair Vulnerability Advisoryhttps://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-364-01Verified
- Researchers Expose WHILL Wheelchair Safety Risks via Remote Hackinghttps://www.securityweek.com/researchers-expose-whill-wheelchair-safety-risks-via-remote-hacking/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust CNSF controls such as segmentation, policy enforcement, visibility, and anomaly detection could have restricted or alerted on unauthorized Bluetooth access, limiting initial compromise, command/control, and device impact. Integrating east-west traffic controls and continuous anomaly monitoring would greatly reduce the risk of similar IoT device attacks propagating or causing harm.
Control: Zero Trust Segmentation
Mitigation: Blocked unauthorized device discovery and pairing.
Control: Zero Trust Segmentation
Mitigation: Prevented escalation by restricting device management access to authenticated and authorized entities only.
Control: East-West Traffic Security
Mitigation: Blocked unauthorized lateral communication attempts between devices.
Control: Threat Detection & Anomaly Response
Mitigation: Raised alerts for unauthorized or anomalous device control activity.
Control: Egress Security & Policy Enforcement
Mitigation: Restricted unauthorized outbound data or configuration export.
Reduced operational disruption and limited potential impact through real-time control and policy enforcement.
Impact at a Glance
Affected Business Functions
- Product Safety
- Customer Support
Estimated downtime: 7 days
Estimated loss: $500,000
No sensitive data exposure reported; primary risk involves unauthorized control of wheelchair functions.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce device-level Zero Trust segmentation and least-privilege policies to prevent unauthorized access to IoT/medical equipment.
- • Implement network-level east-west security controls to block lateral movement between similar devices in shared environments.
- • Deploy continuous anomaly detection and behavioral monitoring to rapidly detect and respond to unauthorized device commands or changes.
- • Apply strict egress policy enforcement to limit the export of sensitive configuration or telemetry data from IoT/OT assets.
- • Integrate CNSF capabilities for real-time, autonomous policy enforcement and visibility across all network-connected devices.
