Critical Authentication Flaw in WHILL Electric Wheelchairs Exposes Users to Remote Attacks

Unauthenticated Access Vulnerability Discovered in WHILL Electric Wheelchairs

The Spanish National Cybersecurity Institute (INCIBE) has issued an urgent alert regarding a critical security flaw in WHILL electric wheelchairs. The vulnerability, identified on January 2, 2026, allows unauthenticated attackers to gain remote control of affected devices, posing severe risks to user safety and privacy.

Technical Details

The vulnerability stems from a lack of authentication mechanisms in WHILL’s wheelchair control systems. Attackers within proximity or via network access can exploit this flaw to:

• Send unauthorized commands to the wheelchair’s motors and control systems
• Override user inputs, potentially causing abrupt movements or stops
• Access sensitive telemetry data without authentication

While INCIBE has not disclosed specific CVE identifiers, the flaw is classified as high-severity due to its potential for physical harm and privacy violations. The exact models affected remain undisclosed, but the issue likely impacts WHILL’s connected wheelchair lineup with remote-control capabilities.

Impact Analysis

This vulnerability introduces multiple risks:

• Physical Safety: Attackers could manipulate wheelchair movement, leading to accidents or injuries.
• Privacy Violations: Unauthorized access to telemetry data may expose user location, usage patterns, and other sensitive information.
• Operational Disruption: Malicious actors could disable or hijack wheelchairs, disrupting mobility for users.

The flaw is particularly concerning for healthcare facilities, smart homes, or public spaces where WHILL wheelchairs are deployed, as attackers could exploit the vulnerability at scale.

Recommendations for Mitigation

INCIBE and WHILL urge users and administrators to take immediate action:

1. Apply Patches: WHILL is expected to release firmware updates to address the authentication flaw. Users should install updates as soon as they become available.
2. Network Segmentation: Isolate wheelchairs on dedicated, firewalled networks to limit exposure to unauthorized access.
3. Physical Security: Restrict physical access to wheelchairs in high-risk environments to prevent localized attacks.
4. Monitor for Anomalies: Implement logging and monitoring for unusual control commands or telemetry data access.
5. Contact WHILL Support: Users should verify their wheelchair model’s vulnerability status and patch eligibility with WHILL’s technical team.

For further details, refer to INCIBE’s official advisory.

This is a developing story. Updates will be provided as more technical details and patches are released.