Researchers Expose WHILL Wheelchair Safety Risks via Remote Hacking

The rise of connected medical devices has transformed patient independence, but it also expands the attack surface for cyber‑threat actors. Electric wheelchairs such as WHILL’s C2 and F models blend mobility assistance with wireless connectivity, positioning them as prime targets for Bluetooth‑based exploits. While manufacturers tout convenience and FDA clearance, many overlook fundamental security controls like authentication and firmware signing. This gap mirrors broader trends where regulatory focus remains on clinical efficacy rather than digital resilience, leaving users vulnerable to remote manipulation.

The disclosed CVE‑2025‑14346 vulnerability eliminates any pairing handshake, enabling an adversary within Bluetooth range to commandeer the chair with a simple keyboard or game controller. Researchers demonstrated the device accelerating beyond its designed limits and even being driven down a staircase, underscoring the physical danger of unchecked remote access. Because Bluetooth signals can propagate through walls and be amplified with relay attacks, the threat extends beyond immediate proximity, raising concerns for caregivers, hospitals, and public spaces where wheelchairs operate.

WHILL’s December 2025 patch signals a reactive approach, but without transparent verification the risk persists. The episode pressures the FDA and other oversight bodies to integrate cybersecurity criteria into medical device approvals, similar to recent guidance for implantable cardiac devices. Manufacturers must adopt secure‑by‑design practices, including mandatory authentication, encrypted communications, and signed firmware updates. For end‑users, regular software updates and awareness of Bluetooth exposure are essential safeguards until industry standards catch up with the realities of connected mobility.