Security researchers have demonstrated a critical vulnerability in high-tech electric wheelchairs that allows for unauthorized remote control, highlighting new safety risks for connected mobility devices.
On December 30, the US cybersecurity agency CISA published an advisory to inform the public about a serious vulnerability discovered by researchers in electric wheelchairs made by WHILL, a Japan-based company whose personal electric mobility devices are sold around the world.
According to CISA’s advisory, WHILL Model C2 and Model F electric wheelchairs are affected by a missing authentication vulnerability. The issue is tracked as CVE-2025-14346 and it has been assigned a critical severity rating.
CISA said the WHILL wheelchairs did not enforce authentication for Bluetooth connections, allowing an attacker who is in Bluetooth range of the targeted device to pair with it. The attacker could then control the wheelchair’s movements, override speed restrictions, and manipulate configuration profiles, all without requiring credentials or user interaction.
The flaw was discovered by a team from QED Secure Solutions, a research-driven cybersecurity firm that helps private and government organizations secure operational technology (OT) and other critical systems.
QED researchers have been demonstrating attacks with a potentially severe impact for many years. Nearly a decade ago, at the Black Hat conference, they showed how hackers could cause physical damage to vehicles and injure their occupants by remotely hacking a car wash.
QED co-founder Billy Rios told SecurityWeek that the vulnerability in WHILL wheelchairs was discovered during an annual hackathon organized by the company in 2025.
“We usually pick a technology, purchase it, travel to a central location, and then spend a week or two hacking it,” Rios, who is a reputable security researcher, explained.
During their experiments, QED researchers successfully gained physical control of the wheelchair, maneuvering the device using a keyboard and a game controller. By disabling integrated safety features, the researchers were able to operate the wheelchair at speeds exceeding its intended remote-control parameters.
To demonstrate a high-impact theoretical scenario, the team developed an exploit designed to automatically compromise any WHILL wheelchair within proximity. SecurityWeek reviewed a video demonstration of this exploit, which showed a wheelchair being remotely driven off a flight of stairs at high speed.
While an attacker must initially be within Bluetooth range to execute the exploit, Rios noted that it is theoretically possible to maintain control even after the device moves out of the original range. “We didn’t demonstrate this, but it is possible,” Rios said.
WHILL also has an autonomous wheelchair model, but Rios said they have yet to test it.
According to CISA’s advisory, WHILL issued a patch and deployed mitigations for several security issues in late December 2025. However, Rios stated that his team was not provided with the update, leaving them unable to verify whether it effectively prevents the documented attacks. It’s unclear whether the patch is automatically deployed to devices or if users have to manually install it.
Rios pointed out that while the research was conducted “for fun”, the vulnerability raises serious questions about the security of WHILL products.
The vendor has obtained FDA clearance for its products, but the government agency is likely not aware that WHILL wheelchairs lacked essential protections, such as strong authentication and encryption, and firmware code signing, the researcher said.
“This is especially troubling, given that we demonstrated clear patient-safety risks associated with their wheelchairs,” Rios said.
WHILL has not responded to SecurityWeek’s request for comment.
Related: Free Wi-Fi Leaves Buses Vulnerable to Remote Hacking
Related: Remote CarPlay Hack Puts Drivers at Risk of Distraction and Surveillance
