Full Report
Researchers have demonstrated remotely controlling a wheelchair over Bluetooth. CISA has issued an advisory. CISA said the WHILL wheelchairs did not enforce authentication for Bluetooth connections, allowing an attacker who is in Bluetooth range of the targeted device to pair with it. The attacker could then control the wheelchair’s movements, override speed restrictions, and manipulate configuration profiles, all without requiring credentials or user interaction.
Analysis Summary
# Vulnerability: Remote Unauthenticated Bluetooth Control of WHILL Wheelchairs
## CVE Details
- CVE ID: Not explicitly provided in the summary context (Assumed to be pending or addressed via the CISA advisory for a formal identifier).
- CVSS Score: Score and Severity not explicitly provided in the summary context.
- CWE: CWE-311 (Missing Encryption in Transmission) or CWE-287 (Improper Authentication) are likely applicable based on the description.
## Affected Systems
- Products: WHILL wheelchairs.
- Versions: Specific vulnerable versions are not detailed, but the vulnerability pertains to devices using Bluetooth connections without adequate authentication enforcement.
- Configurations: Any WHILL wheelchair utilizing the affected Bluetooth implementation.
## Vulnerability Description
The affected WHILL wheelchairs fail to enforce proper authentication for Bluetooth connections. This flaw allows an unauthenticated remote attacker, who is within Bluetooth range of the device, to successfully pair with the wheelchair. Upon successful, unauthenticated pairing, the attacker gains the ability to control the wheelchair's movements, override established speed restrictions, and manipulate device configuration profiles without needing any user credentials or interaction.
## Exploitation
- Status: Researchers have demonstrated control. (Note: Status regarding "in the wild" is unknown based on provided text.)
- Complexity: Low (Requires only adjacency via Bluetooth range and no prior authentication/credentials).
- Attack Vector: Adjacent Network (Bluetooth range).
## Impact
- Confidentiality: Low (Focus is on operational control).
- Integrity: High (Ability to manipulate movement, speed, and configuration profiles).
- Availability: Medium (Ability to cease operation or cause movements contrary to user intent).
## Remediation
### Patches
- Patches are referenced via the CISA advisory (ICSMA-25-364-01), but specific patch versions are not listed here. Owners/operators should consult the CISA advisory and WHILL vendor documentation for updates.
### Workarounds
- **Physical Disassociation:** Ensure Bluetooth is physically disabled or the device is kept outside of the attacker's Bluetooth range if a patch is not immediately available.
- **Monitoring:** Monitor for unauthorized Bluetooth pairing attempts or unexpected movement commands.
## Detection
- **Indicators of Compromise:** Unexpected wheelchair movement, sudden changes in speed settings, or discovery of unexpected paired/connected Bluetooth devices.
- **Detection Methods and Tools:** Bluetooth traffic sniffing tools in adjacent range might reveal unauthenticated pairing attempts or commands being sent to the wheelchair controller.
## References
- Vendor Advisories: Referenced via CISA Advisory ICSMA-25-364-01.
- Relevant Links:
- [cisa.gov/news-events/ics-medical-advisories/icsma-25-364-01](hxxps://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-364-01)
- [securityweek.com/researchers-expose-whill-wheelchair-safety-risks-via-remote-hacking/](hxxps://www.securityweek.com/researchers-expose-whill-wheelchair-safety-risks-via-remote-hacking/)