The Savitech USB audio driver installation package will install a root CA certificate into the Windows trusted root certificate store, in an incident that's reminiscent of the Superfish and eDellRoot episodes from 2015 and 2016, respectively.
Users usually install these drivers as separate packages, but they're also bundled inside setup software for all sorts of products.
Savitech, as a company, creates audio and video drivers for a wide range of devices. According to RSA security researcher Kent Backman — the one who spotted the Savitech root certificate installation process — only the company's USB audio driver installation package will install the root certificate.
This driver is provided to hardware vendors to support audio-capable devices that run via USB ports. Various vendors like AsusTek, EMC, Intos, Creek Audio, and others deploy Savitech's USB audio driver with their products.
Savitech admitted its mistake. A company spokesperson said they added the root certificate to support driver signing on Windows XP machines.
The driver was not needed for latter versions of Windows, and the company decided to drop XP support from its products for the sake of user security.
"We have removed the code of installing SAVITECH’s certificate from software package after standard software package v18.104.22.168 published on March 31, 2017," a Savitech spokesperson said.
While Savitech's USB audio driver packages 22.214.171.124 and later do not install the root certificate anymore, they do not remove it either. Users have to remove the root certificate from the Windows trusted root store themselves.
Users are advised to search and remove the following two Savitech root certificates. Instructions are available here.
Currently, users aren't in any immediate danger. It could become catastrophic if a hacker or someone else compromised Savitech's private key for managing any of the root certificate versions installed by its driver.
Both Lenovo and Dell have shipped root certificates with their laptops in the Superfish and eDellRoot incidents. Lenovo's private key was compromised, and this put millions of users in danger of having their HTTPS web traffic intercepted. The FTC started an investigation into Lenovo's blunder and eventually reached a settlement of $3.5 million with the PC maker earlier this year.
There's no evidence that someone compromised Savitech's private key, but users should remove the certificates just to be safe.
If compromised, the certificate could also be used to sign malware. A recently published academic paper highlighted the increased usage of code-signing certificates to help malware bypass security scanners.
A Venafi report also discovered an underground market for such certificates on the Dark Web, where they're traded on average for $1,200/certificate, which is the equivalent of a fake passport, two handguns, six fake drivers' licenses, 12 hacked email accounts, 48 DDoS attacks, or 320 stolen credit cards details.