USB cable

The Savitech USB audio driver installation package will install a root CA certificate into the Windows trusted root certificate store, in an incident that's reminiscent of the Superfish and eDellRoot episodes from 2015 and 2016, respectively.

Users usually install these drivers as separate packages, but they're also bundled inside setup software for all sorts of products.

Savitech, as a company, creates audio and video drivers for a wide range of devices. According to RSA security researcher Kent Backman — the one who spotted the Savitech root certificate installation process — only the company's USB audio driver installation package will install the root certificate.

This driver is provided to hardware vendors to support audio-capable devices that run via USB ports. Various vendors like AsusTek, EMC, Intos, Creek Audio, and others deploy Savitech's USB audio driver with their products.

Users need to manually remove root certs

Savitech admitted its mistake. A company spokesperson said they added the root certificate to support driver signing on Windows XP machines.

The driver was not needed for latter versions of Windows, and the company decided to drop XP support from its products for the sake of user security.

"We have removed the code of installing SAVITECH’s certificate from software package after standard software package v2.8.0.3 published on March 31, 2017," a Savitech spokesperson said.

While Savitech's USB audio driver packages 2.8.0.3 and later do not install the root certificate anymore, they do not remove it either. Users have to remove the root certificate from the Windows trusted root store themselves.

Users are advised to search and remove the following two Savitech root certificates. Instructions are available here.

SaviAudio root certificate #1
‎Validity: Thursday, ‎May ‎31, ‎2012 - ‎Tuesday, ‎December ‎30, ‎2036
Serial number: 579885da6f791eb24de819bb2c0eeff0
Thumbprint: cb34ebad73791c1399cb62bda51c91072ac5b050

SaviAudio root certificate #2
Validity: ‎Thursday, ‎December ‎31, ‎2015 - ‎Tuesday, ‎December ‎30, ‎2036
Serial number: ‎972ed9bce72451bb4bd78bfc0d8b343c
Thumbprint: 23e50cd42214d6252d65052c2a1a591173daace5

Currently, users aren't in any immediate danger. It could become catastrophic if a hacker or someone else compromised Savitech's private key for managing any of the root certificate versions installed by its driver.

Reminiscent of the Superfish and eDellRoot incidents

Both Lenovo and Dell have shipped root certificates with their laptops in the Superfish and eDellRoot incidents. Lenovo's private key was compromised, and this put millions of users in danger of having their HTTPS web traffic intercepted. The FTC started an investigation into Lenovo's blunder and eventually reached a settlement of $3.5 million with the PC maker earlier this year.

There's no evidence that someone compromised Savitech's private key, but users should remove the certificates just to be safe.

If compromised, the certificate could also be used to sign malware. A recently published academic paper highlighted the increased usage of code-signing certificates to help malware bypass security scanners.

A Venafi report also discovered an underground market for such certificates on the Dark Web, where they're traded on average for $1,200/certificate, which is the equivalent of a fake passport, two handguns, six fake drivers' licenses, 12 hacked email accounts, 48 DDoS attacks, or 320 stolen credit cards details.