EPISODE · Dec 27, 2025 · 56 MIN
Pwn2Roll: Who Needs a 595€ Remote When You Have wheelchair.py? (39c3)
from Chaos Computer Club - recent events feed (low quality) · host elfy
A 595€ wheelchair remote that sends a handful of Bluetooth commands. A 99.99€ app feature that does exactly what the 595€ hardware does. A speed upgrade from 6 to 8.5 km/h locked behind a 99.99€ paywall - because apparently catching the bus is a premium feature. Welcome to the wonderful world of DRM in assistive devices, where already expensive basic mobility costs extra and comes with in-app purchases! And because hackers gonna hack, this just could not be left alone. This talk depicts the reverse engineering of a popular electric wheelchair drive system - the Alber e-motion M25: a several thousand euro assistive device that treats mobility like a SaaS subscription. Through Android app reverse engineering, proprietary Bluetooth protocol analysis, hours of staring at hex dumps (instead of the void), and good old-fashioned packet sniffing, we'll expose how manufacturers artificially limit essential features and monetize basic human mobility. What you'll learn: - how a 22-character QR code sticker, labeled as "Cyber Security Key", becomes AES encryption - why your 6000€ wheelchair drive includes an app with Google Play Billing integration for features the hardware already supports - the internals, possibilities and features of electronics worth 30€ cosplaying as a 595€ medical device - the technical implementation of the "pay 99.99€ or stay slow" speed limiter (6 km/h vs 8.5 km/h) - how nearly 2000€ in hardware and app features can be replaced by a few hundred lines of Python - why the 8000€ even more premium (self-driving) variant is literally identical hardware with a different Boolean flag and firmware plus another (pricier) remote We'll cover the complete methodology: from initial reconnaissance, sniffing and decrypting packets to reverse-engineer the proprietary communication protocol, to PoCs of Python replacements, tools, techniques, and ethical considerations of reverse engineering medical devices. This is a story about artificial scarcity, exploitative DRM, ethics and industry power, and how hacker-minded creatures should react and act to this. This talk will be simultaneously interpretated into German sign language (Deutsche Gebärdensprache aka. DGS). Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/pwn2roll-who-needs-a-599-remote-when-you-have-wheelchair-py
What this episode covers
A 595€ wheelchair remote that sends a handful of Bluetooth commands. A 99.99€ app feature that does exactly what the 595€ hardware does. A speed upgrade from 6 to 8.5 km/h locked behind a 99.99€ paywall - because apparently catching the bus is a premium feature. Welcome to the wonderful world of DRM in assistive devices, where already expensive basic mobility costs extra and comes with in-app purchases! And because hackers gonna hack, this just could not be left alone. This talk depicts the reverse engineering of a popular electric wheelchair drive system - the Alber e-motion M25: a several thousand euro assistive device that treats mobility like a SaaS subscription. Through Android app reverse engineering, proprietary Bluetooth protocol analysis, hours of staring at hex dumps (instead of the void), and good old-fashioned packet sniffing, we'll expose how manufacturers artificially limit essential features and monetize basic human mobility. What you'll learn: - how a 22-character QR code sticker, labeled as "Cyber Security Key", becomes AES encryption - why your 6000€ wheelchair drive includes an app with Google Play Billing integration for features the hardware already supports - the internals, possibilities and features of electronics worth 30€ cosplaying as a 595€ medical device - the technical implementation of the "pay 99.99€ or stay slow" speed limiter (6 km/h vs 8.5 km/h) - how nearly 2000€ in hardware and app features can be replaced by a few hundred lines of Python - why the 8000€ even more premium (self-driving) variant is literally identical hardware with a different Boolean flag and firmware plus another (pricier) remote We'll cover the complete methodology: from initial reconnaissance, sniffing and decrypting packets to reverse-engineer the proprietary communication protocol, to PoCs of Python replacements, tools, techniques, and ethical considerations of reverse engineering medical devices. This is a story about artificial scarcity, exploitative DRM, ethics and industry power, and how hacker-minded creatures should react and act to this. This talk will be simultaneously interpretated into German sign language (Deutsche Gebärdensprache aka. DGS). Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/pwn2roll-who-needs-a-599-remote-when-you-have-wheelchair-py
NOW PLAYING
Pwn2Roll: Who Needs a 595€ Remote When You Have wheelchair.py? (39c3)
No transcript for this episode yet
Similar Episodes
Apr 21, 2026 ·73m
Apr 18, 2026 ·95m
Apr 15, 2026 ·55m
Apr 13, 2026 ·68m
Apr 11, 2026 ·59m
Apr 9, 2026 ·66m