Description
WHILL Model C2 Electric Wheelchairs and Model F Power Chairs do not enforce authentication for Bluetooth connections. An attacker within range can pair with the device and issue movement commands, override speed restrictions, and manipulate configuration profiles without any credentials or user interaction.
EPSS Score:
0%
Comprehensive Technical Analysis of EUVD-2026-0842 (CVE-2025-14346)
Vulnerability: Unauthenticated Bluetooth Command Injection in WHILL Electric Wheelchairs
1. Vulnerability Assessment & Severity Evaluation
Vulnerability Overview
EUVD-2026-0842 (CVE-2025-14346) describes a critical authentication bypass vulnerability in WHILL Model C2 Electric Wheelchairs and Model F Power Chairs, where Bluetooth Low Energy (BLE) connections lack proper authentication mechanisms. An unauthenticated attacker within radio range (~10-30 meters, depending on environmental factors) can:
- Pair with the device without credentials or user interaction.
- Issue movement commands, including directional control and speed adjustments.
- Override safety-critical speed restrictions (e.g., disabling maximum speed limits).
- Manipulate configuration profiles, potentially altering device behavior permanently.
Severity Evaluation (CVSS v4.0)
The Base Score of 9.3 (Critical) is justified by the following CVSS metrics:
| Metric | Value | Explanation |
|---|---|---|
| Attack Vector (AV) | Network (N) | Exploitable remotely via Bluetooth (no physical access required). |
| Attack Complexity (AC) | Low (L) | No specialized conditions; standard Bluetooth tools suffice. |
| Attack Requirements (AT) | None (N) | No prior access or user interaction needed. |
| Privileges Required (PR) | None (N) | No authentication or elevated privileges required. |
| User Interaction (UI) | None (N) | Exploitable without victim awareness. |
| Vulnerable Confidentiality (VC) | High (H) | Attacker gains full control over device movement. |
| Vulnerable Integrity (VI) | High (H) | Configuration tampering can persist after attack. |
| Vulnerable Availability (VA) | High (H) | Unauthorized movement commands can cause physical harm. |
| Subsequent Confidentiality (SC) | None (N) | No additional data exposure beyond device control. |
| Subsequent Integrity (SI) | None (N) | No further integrity impact beyond initial exploitation. |
| Subsequent Availability (SA) | None (N) | No cascading availability impact beyond the device. |
Key Takeaways:
- Exploitability: Trivial (no authentication, no user interaction).
- Impact: Physical safety risk (unauthorized movement, speed override).
- Scope: Limited to direct Bluetooth range, but no internet exposure required.
- Persistence: Configuration changes may survive reboots.
2. Potential Attack Vectors & Exploitation Methods
Attack Surface
The vulnerability stems from insecure BLE implementation, specifically:
- Lack of pairing authentication (no PIN, no cryptographic handshake).
- No role-based access control (any BLE device can send commands).
- Insecure command handling (no message authentication or encryption).
Exploitation Workflow
-
Discovery & Reconnaissance
- Attacker uses Bluetooth scanning tools (e.g.,
hcitool,bluetoothctl,nRF Connect) to identify vulnerable WHILL devices. - Service Discovery Protocol (SDP) reveals exposed BLE services (e.g.,
0x180Afor Device Information,0xFFE0for custom WHILL commands).
- Attacker uses Bluetooth scanning tools (e.g.,
-
Unauthenticated Pairing
- Attacker initiates pairing via Just Works (no authentication).
- Tools like GATTacker or Bettercap can automate this process.
-
Command Injection
- Attacker interacts with custom BLE characteristics (e.g.,
0xFFE1for movement control). - Example payloads:
- Movement commands (forward, backward, left, right).
- Speed override (disabling safety limits).
- Configuration writes (altering max speed, acceleration profiles).
- Attacker interacts with custom BLE characteristics (e.g.,
-
Post-Exploitation
- Denial of Service (DoS): Repeatedly sending conflicting commands to disable the device.
- Physical Harm: Forcing sudden stops or high-speed movements in unsafe environments.
- Persistence: Modifying firmware settings to maintain control after disconnection.
Proof-of-Concept (PoC) Tools
- Bluetooth Hacking Frameworks:
- BlueZ (
bluetoothctl,gatttool) - Bettercap (BLE MITM & command injection)
- GATTacker (BLE proxy for replay attacks)
- BlueZ (
- Custom Scripting:
- Python (
bleak,pygatt) to automate command injection. - Ubertooth One for advanced BLE sniffing.
- Python (
3. Affected Systems & Software Versions
Impacted Products
| Product | Vendor | Affected Versions | ENISA ID |
|---|---|---|---|
| WHILL Model C2 Electric Wheelchair | WHILL | All versions | 9e1f22be-6f71-318b-adb4-6aa4a9b14b8a |
| WHILL Model F Power Chair | WHILL | All versions | 1055771e-5f53-30d1-8222-76837dccccf0 |
Scope of Impact
- Geographical: Primarily Europe (WHILL is a Japanese company but has significant EU market presence).
- Sector: Medical devices, assistive technologies, IoT healthcare.
- User Base: Mobility-impaired individuals, healthcare facilities, and home users.
4. Recommended Mitigation Strategies
Immediate Actions (End Users & Healthcare Providers)
- Disable Bluetooth When Not in Use
- Power off the wheelchair or disable Bluetooth via physical controls (if available).
- Physical Security Measures
- Restrict access to the device in public spaces (e.g., hospitals, care homes).
- Monitor for Unauthorized Pairing
- Check for unexpected Bluetooth connections via device logs (if accessible).
Vendor-Side Fixes (WHILL)
- Implement Secure BLE Pairing
- Numeric Comparison or Passkey Entry (NIST SP 800-121 compliant).
- LE Secure Connections (using ECDH for key exchange).
- Role-Based Access Control (RBAC)
- Restrict command execution to authenticated controllers (e.g., paired smartphones).
- Message Authentication & Encryption
- AES-CCM for BLE data encryption.
- HMAC for command integrity verification.
- Firmware Updates
- Over-the-Air (OTA) updates to patch vulnerable devices.
- Fallback to wired updates if Bluetooth is compromised.
Network-Level Protections
- Bluetooth Intrusion Detection Systems (BIDS)
- Deploy BLE monitoring tools (e.g., Blue Hydra, Ubertooth) to detect rogue pairing attempts.
- Segmentation & Isolation
- Restrict BLE traffic in healthcare networks via VLANs or firewall rules.
- User Awareness Training
- Educate caregivers and users on Bluetooth security risks.
Regulatory & Compliance Considerations
- EU Medical Device Regulation (MDR 2017/745):
- WHILL must report the vulnerability to national competent authorities (e.g., BfArM in Germany, ANSM in France).
- GDPR Implications:
- If personal data (e.g., user movement logs) is exposed, data breach notifications may apply.
- ENISA Guidelines:
- Align with ENISA’s IoT Security Baseline for medical devices.
5. Impact on the European Cybersecurity Landscape
Broader Implications
- Critical Infrastructure & Healthcare Risks
- Medical IoT devices are increasingly targeted (e.g., St. Jude Medical pacemaker vulnerabilities).
- Physical safety risks elevate this beyond traditional cyber threats.
- Regulatory & Legal Pressures
- EU Cyber Resilience Act (CRA) will mandate secure-by-design for IoT devices.
- NIS2 Directive may classify WHILL as a critical entity if used in healthcare.
- Supply Chain & Third-Party Risks
- Bluetooth stack vulnerabilities (e.g., BlueBorne, SweynTooth) may compound risks.
- Third-party app integrations (e.g., WHILL’s mobile app) could introduce additional attack surfaces.
- Public Trust & Market Impact
- Reputation damage for WHILL if exploits lead to real-world incidents.
- Insurance implications for healthcare providers using vulnerable devices.
Comparative Analysis with Other Medical IoT Vulnerabilities
| Vulnerability | Device Type | CVSS Score | Key Risk |
|---|---|---|---|
| CVE-2025-14346 | Electric Wheelchair | 9.3 | Physical harm via movement control |
| CVE-2017-12712 | St. Jude Pacemaker | 9.8 | Remote code execution |
| CVE-2021-33881 | Medtronic Insulin Pumps | 8.8 | Unauthorized insulin delivery |
| CVE-2020-12040 | Philips Hue Smart Lights | 7.5 | Denial of Service |
Key Insight: While pacemakers and insulin pumps have higher life-critical risks, electric wheelchairs introduce unique physical safety concerns (e.g., collisions, falls).
6. Technical Details for Security Professionals
BLE Protocol Analysis
-
Service & Characteristic Mapping
- Device Information Service (0x180A): Exposes model, firmware version.
- Custom WHILL Service (0xFFE0): Likely handles movement commands.
- Characteristic (0xFFE1): Writeable, used for command injection.
-
Packet Capture & Reverse Engineering
- Tools: Wireshark (with BLE dissector), Ubertooth, nRF Sniffer.
- Example Attack Flow:
# Discover WHILL devices hcitool lescan # Connect and enumerate services gatttool -b <MAC> -I connect primary characteristics # Send movement command (example) char-write-cmd 0xFFE1 01010101 # Forward at max speed
-
Firmware Extraction & Analysis
- JTAG/SWD Debugging: Extract firmware for static analysis (Ghidra, IDA Pro).
- Firmware Update Analysis: Check if OTA updates are signed and encrypted.
Exploit Development Considerations
-
BLE Command Structure
- Likely binary-encoded (e.g.,
0x01= forward,0x02= backward). - Speed control: May use floating-point or integer values (e.g.,
0x00-0x64for 0-100% speed).
- Likely binary-encoded (e.g.,
-
Mitigation Bypass Attempts
- Replay Attacks: Capture and replay legitimate commands.
- Fuzzing: Use Sulley or Boofuzz to identify additional vulnerabilities.
-
Post-Exploitation Persistence
- Configuration Tampering: Modify max speed, acceleration profiles.
- Firmware Downgrade: Roll back to a vulnerable version.
Detection & Forensics
- Bluetooth Log Analysis
- Linux:
bluetoothdlogs (/var/log/syslog). - Windows: Event Viewer (
Microsoft-Windows-Bluetooth-User).
- Linux:
- Anomaly Detection
- Unexpected BLE connections (e.g., unknown MAC addresses).
- Rapid command sequences (e.g., sudden speed changes).
- Forensic Artifacts
- Paired device list (stored in non-volatile memory).
- Command history (if logged by the device).
Conclusion & Recommendations
Key Findings
- Critical authentication flaw in WHILL wheelchairs enables unauthorized physical control.
- Exploitable with minimal skill using off-the-shelf Bluetooth tools.
- High physical safety risk with potential for real-world harm.
Strategic Recommendations
-
For WHILL:
- Immediate firmware patch with secure BLE pairing.
- Recall vulnerable devices if no patch is feasible.
- Engage with ENISA & CERT-EU for coordinated disclosure.
-
For Healthcare Providers:
- Isolate vulnerable devices from public networks.
- Implement BLE monitoring in medical facilities.
-
For European Regulators:
- Enforce stricter IoT security standards under Cyber Resilience Act.
- Mandate vulnerability reporting for medical devices.
-
For Security Researchers:
- Develop BLE intrusion detection signatures.
- Monitor for exploit kits targeting medical IoT.
Final Risk Assessment
| Factor | Risk Level | Justification |
|---|---|---|
| Exploitability | Critical | Trivial to exploit with basic tools. |
| Impact | Critical | Direct physical harm possible. |
| Likelihood | High | Low barrier to entry for attackers. |
| Mitigation Feasibility | Medium | Requires firmware updates; some devices may be unpatchable. |
Overall Risk: Critical (9.3/10) – Immediate action required to prevent real-world exploitation.
References:
References
Affected Products
Model F Power Chair
Version: all
Model C2 Electric Wheelchair
Version: all
Vendors
WHILL