A critical Bluetooth authentication vulnerability has been discovered in WHILL's Model C2 electric wheelchairs and Model F power chairs, tracked as CVE-2025-14346, with a CVSS score of 8.8 (High). This security flaw allows attackers within wireless range to pair with these mobility devices without authentication, potentially gaining unauthorized control over critical functions. The vulnerability stems from an improper authentication mechanism in the Bluetooth Low Energy (BLE) implementation, which fails to properly validate pairing requests, enabling malicious actors to establish connections and send commands to the wheelchair's control system.

Technical Details of CVE-2025-14346

The vulnerability exists in the BLE communication stack of affected WHILL models, specifically in how the devices handle pairing requests during the connection establishment phase. According to security researchers, the flaw allows any Bluetooth-enabled device within approximately 10 meters (30 feet) to connect to the wheelchair without requiring any authentication credentials or user confirmation. Once connected, an attacker could potentially send malicious commands to the wheelchair's control system, though the exact extent of control depends on the specific implementation and security layers within the device firmware.

Security analysis reveals that the vulnerability affects the pairing mechanism that should normally require user confirmation or a predefined authentication method. Instead, the affected WHILL models accept pairing requests without proper validation, creating what security experts describe as an "open door" to the device's control systems. This type of vulnerability is particularly concerning for medical mobility devices, where safety and reliability are paramount considerations for users who depend on these devices for daily mobility.

Impact on WHILL Wheelchair Users

The practical implications of CVE-2025-14346 are significant for users of affected WHILL wheelchairs. In a worst-case scenario, an attacker could potentially interfere with the wheelchair's operation, though security researchers note that the vulnerability primarily enables unauthorized connection rather than guaranteed full control. The risk is particularly acute in crowded public spaces, healthcare facilities, or any environment where multiple Bluetooth devices might be present within range.

Users should be aware that while the vulnerability enables unauthorized pairing, the actual impact depends on several factors including the wheelchair's specific configuration, whether additional security measures are implemented at the application layer, and the attacker's technical capabilities. However, the mere possibility of unauthorized access to a medical mobility device represents a serious security concern that requires immediate attention from both manufacturers and users.

WHILL's Response and Mitigation Measures

WHILL has acknowledged the vulnerability and is reportedly working on firmware updates to address the security flaw. The company has advised users to take immediate precautionary measures while awaiting official patches. Recommended temporary mitigations include:

  • Disabling Bluetooth when not actively using connected features
  • Avoiding use of the wheelchair's Bluetooth functionality in public or crowded spaces
  • Keeping the wheelchair in a secure, private location when not in use
  • Monitoring for official firmware updates from WHILL

Security experts emphasize that while these measures can reduce risk, they don't eliminate the vulnerability entirely. The fundamental issue resides in the device's firmware and requires a proper security patch to fully resolve the authentication bypass vulnerability.

Broader Implications for IoT and Medical Device Security

CVE-2025-14346 highlights growing concerns about security in Internet of Things (IoT) devices, particularly in the medical and assistive technology sectors. As mobility devices become increasingly connected and feature-rich, they also become potential targets for security vulnerabilities. This incident follows a pattern of similar Bluetooth-related vulnerabilities discovered in various IoT devices over recent years, suggesting that many manufacturers may be prioritizing functionality over security in their implementation of wireless connectivity features.

The medical device industry faces unique challenges in balancing security requirements with usability and accessibility needs. For wheelchair users, Bluetooth connectivity often enables valuable features like smartphone control, remote diagnostics, and integration with other assistive technologies. However, as this vulnerability demonstrates, inadequate security implementation can expose users to potential risks that outweigh the benefits of connectivity.

Recommendations for Affected Users

Users of WHILL Model C2 and Model F wheelchairs should take the following immediate actions:

  1. Contact WHILL Support: Reach out to WHILL's customer support to confirm whether your specific device is affected and inquire about firmware update timelines.

  2. Implement Temporary Mitigations: Follow WHILL's recommended precautions regarding Bluetooth usage until a security patch is available and installed.

  3. Monitor for Updates: Regularly check WHILL's official website and support channels for security updates and installation instructions.

  4. Assess Usage Patterns: Consider whether Bluetooth features are essential for your daily needs, and if not, consider keeping Bluetooth disabled as a precautionary measure.

  5. Report Suspicious Activity: If you notice any unusual behavior with your wheelchair's controls or connectivity, document the incidents and report them to WHILL and relevant authorities.

The Future of Connected Mobility Device Security

This vulnerability serves as a wake-up call for the entire assistive technology industry regarding the importance of robust security in connected devices. As mobility aids become increasingly sophisticated with features like autonomous navigation, environmental sensing, and remote monitoring capabilities, security must be integrated into the design process from the earliest stages rather than treated as an afterthought.

Industry experts predict increased regulatory scrutiny and potential security standards for connected medical devices following incidents like CVE-2025-14346. Manufacturers will likely face pressure to implement more rigorous security testing, regular vulnerability assessments, and timely patch management processes for their connected products.

For users, this incident underscores the importance of staying informed about security updates for any connected devices they depend on for daily living. Just as computer and smartphone users have become accustomed to regular security updates, users of connected medical devices may need to adopt similar practices to ensure their safety and privacy in an increasingly connected world.

Conclusion

The discovery of CVE-2025-14346 in WHILL wheelchairs represents a significant security concern for users of these mobility devices. While the immediate risk can be mitigated through precautionary measures, the vulnerability highlights broader challenges in securing connected medical devices against potential threats. As WHILL works to develop and distribute security patches, users should remain vigilant about their device security and follow recommended precautions. This incident serves as an important reminder that as assistive technologies become more connected and sophisticated, security considerations must keep pace to protect the users who depend on these devices for their mobility and independence.