A researcher has identified critical vulnerabilities that can allegedly be exploited to remotely hack a building controller predominantly used by organizations in Russia.
The security flaws were discovered by researcher Jose Bertin in a controller made by Russian company Tekon Avtomatika, which specializes in equipment and software for elevators and other building systems.
A Shodan search shows more than 100 internet-exposed Tekon controllers that the vendor describes as “engineering equipment controllers.” Shodan currently shows 117 devices located in Russia and three in Ukraine.
In a blog post published last week, the researcher said the devices can be hacked due to the use of default credentials. The default credentials provide access with admin privileges to the Tekon controller’s user interface. However, the researcher claims to have found a way to execute code with root privileges by abusing a feature that allows users to add plugins.
These plugins are LUA scripts that can be added in a dedicated section of the user interface. Users can upload a plugin file and then click a “Save/Load” button to execute it.
The researcher created a proof-of-concept (PoC) script that allowed him to obtain root privileges and take complete control of the targeted device and potentially cause significant disruption.
“I got RCE and privilege escalation from an admin user to root. Now we can do whatever — more critically those  devices can be shut down at once, creating an impact in Russian SCADA systems, remotely,” the researcher said in his blog post.
He told SecurityWeek that an “attacker could execute dangerous actions, like shut down the device or implant a backdoor. There are like 100 available and, according to Tekon, those devices could be placed in building elevators and SCADA environments as well — the impact could be dangerous.”
Many hackers have been trying to cause direct or indirect damage to Russia through DDoS attacks, data leaks and intrusions in response to its invasion of Ukraine. The timing of the research and the disclosure could be seen as an encouragement for hacktivists to take advantage of the flaws.
Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference
However, Bertin’s blog post does not mention the Ukraine-Russia war and the researcher told SecurityWeek that the goal of his report is not to cause damage.
“The post is pretty much straightforward to the technicals and OSINT related to SCADA devices,” he explained. “I usually track down SCADA devices around the world, but this time something cool popped up in Russia, so I decided to share with the world. Trying to make a better world — a secure world — for everyone, as I’ve been doing the last 12 years of my cyber security career.”
Bertin admitted that he did not contact the vendor before making his findings public, but said that he will try to reach the company.
SecurityWeek sent a request for comment to the vendor two days before this article was published, but we have yet to receive a response.
Related: Many Critical Flaws Patched in Delta Electronics Energy Management System
Related: Moxa MXview Vulnerabilities Expose Industrial Networks to Attacks