Hijacked Mobility: CISA Warns of Critical 9.8 Flaw Allowing Remote Control of WHILL Power Chairs
Ddos 
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory regarding a critical safety vulnerability in popular electric mobility devices that could turn a user’s wheelchair into a remote-controlled danger. The flaw, affecting WHILL Model C2 and Model F power chairs, allows unauthorized attackers to seize full control of the device via Bluetooth, potentially endangering riders.
The vulnerability, tracked as CVE-2025-14346, carries a critical CVSS score of 9.8, signaling an imminent and high-severity risk to physical safety.
The core of the issue lies in a lack of security hygiene in the device’s connectivity protocols. According to the advisory, the affected wheelchairs “do not enforce authentication for Bluetooth connections”. This oversight creates an open door for anyone with a smartphone or laptop within signal range.
“An attacker within range can pair with the device and issue movement commands, override speed restrictions, and manipulate configuration profiles without any credentials or user interaction,” the report warns.
The implications are physically dangerous. A malicious actor could theoretically accelerate the chair, stop it abruptly, or steer it against the user’s will—all without ever physically touching the device.
The vulnerability is specific to WHILL’s modern electric mobility lineup:
- Model C2 Electric Wheelchair
- Model F Power Chair
WHILL Inc. acted to address the flaw with a series of fixes deployed on December 29th, 2025. The mitigation strategy focuses on both firmware hardening and application security to prevent remote hijacking.
Key fixes include:
- Speed Profile Protection: New safeguards in the firmware now “prevent unauthorized modification of speed profiles from the mobile application,” stopping attackers from dangerously increasing the device’s top speed.
- Motion Lockout: To prevent sudden stops or unlocking mid-ride, the update blocks “unlock commands issued from either the mobile app or the smart key while the wheelchair is in motion”.
- App Obfuscation: The vendor has moved to “obfuscate the configuration files used by the mobile application by converting JSON files into a binary format on both Android and iOS platforms,” making it harder for reverse engineers to understand and tamper with the app’s logic.
Users and caregivers are urged to contact WHILL Inc. immediately for more information on ensuring their devices are updated and safe to use.
Donate