WHILL Model C2 Electric Wheelchairs and Model F Power Chairs Missing Bluetooth Authentication Vulnerability

A vulnerability exists in WHILL Model C2 Electric Wheelchairs and Model F Power Chairs due to a lack of authentication for Bluetooth connections. This flaw allows an attacker within range to pair with the device and control its movement, bypass speed limits, and alter configuration profiles, all without needing credentials or user interaction.

Impact

Exploitation of this vulnerability could enable an attacker within Bluetooth range to gain control of the affected wheelchair or power chair, allowing them to manipulate movement and settings at will.

Remediation

Users are advised to contact WHILL Inc. for guidance. CISA recommends minimizing network exposure for control system devices, isolating them from business networks, and using secure remote access methods like VPNs. Additional CISA resources on ICS cybersecurity best practices are available on the CISA ICS webpage.