What happened
CISA warns of WHILL C2 wheelchairs vulnerability that could allow attackers to remotely manipulate device functions and compromise user safety. The vulnerability affects both firmware and software, potentially enabling malicious actors to alter movement controls or disable safety features. Network connectivity could be exploited to reach devices without physical access. The advisory emphasizes the risk to both users and healthcare providers managing fleets of powered wheelchairs. The warning highlights the broader concerns around connected medical devices and the importance of firmware updates, secure configuration, and network segmentation to prevent exploitation.
Who is affected
Users of WHILL Model C2 wheelchairs, healthcare providers managing these devices, and organizations with connected mobility solutions are directly impacted. Facilities using networked wheelchairs, such as hospitals or assisted-living centers, may face operational disruption or safety incidents. Vendors and integrators of medical devices must ensure that firmware updates and proper access controls are in place to prevent unauthorized manipulation.
Why CISOs should care
Medical and assistive devices present unique security risks. Exploitable vulnerabilities may endanger patient safety, create liability concerns, and serve as potential attack vectors into broader healthcare networks. CISOs must consider device security within operational and patient safety contexts, enforcing proper segmentation, patching, and access policies.
3 practical actions
- Patch management: Apply vendor firmware and software updates immediately.
- Network segmentation: Isolate medical devices from general enterprise networks.
- Risk assessment: Conduct risk evaluations for all connected medical devices and mobility solutions.