Io.net, a decentralized physical infrastructure network (DePIN), recently fell victim to a cybersecurity breach. Malicious individuals exploited exposed user ID tokens to carry out a system query language (SQL) injection attack, resulting in unauthorized alterations to device metadata within the graphics processing unit (GPU) network.
In a swift response, Husky.io, the chief security officer of Io.net, took immediate action by implementing remedial measures and security upgrades to safeguard the network. Thankfully, the attack did not compromise the actual hardware of the GPUs, as their robust permission layers ensured their security.
The breach was discovered during a surge in write operations to the GPU metadata application programming interface (API), which triggered alerts at 1:05 am Pacific Standard Time on April 25.
To counter this breach, security measures were reinforced by implementing SQL injection checks on APIs and improving the logging of unauthorized attempts. Additionally, a user-specific authentication solution was rapidly deployed, utilizing Auth0 with OKTA, to address vulnerabilities associated with universal authorization tokens.
However, this security update coincided with a snapshot of the rewards program, exacerbating an anticipated decrease in supply-side participants. As a result, legitimate GPUs that did not restart and update were unable to access the uptime API, leading to a significant drop in active GPU connections from 600,000 to 10,000.
To tackle these challenges, Ignition Rewards Season 2 was launched in May to incentivize supply-side participation. Ongoing efforts include collaborating with suppliers to upgrade, restart, and reconnect devices to the network.
The breach originated from vulnerabilities introduced while implementing a proof-of-work mechanism to identify counterfeit GPUs. The implementation of aggressive security patches prior to the incident prompted an escalation in attack methods, necessitating continuous security reviews and improvements.
The attackers took advantage of a vulnerability in an API that displayed content in the input/output explorer, inadvertently exposing user IDs when searching by device IDs. These malicious actors compiled this leaked information into a database weeks before the breach occurred.
By leveraging a valid universal authentication token, the attackers gained access to the “worker-API,” enabling them to modify device metadata without requiring user-level authentication.
Husky.io emphasized the importance of ongoing comprehensive reviews and penetration tests on public endpoints to detect and mitigate threats at an early stage. Despite the challenges faced, efforts are underway to incentivize supply-side participation and restore network connections, ensuring the integrity of the platform while serving tens of thousands of compute hours per month.
Io.net had plans to integrate Apple silicon chip hardware in March to enhance its artificial intelligence and machine learning services.
Magazine:
Real AI use cases in crypto: Crypto-based AI markets, and AI financial analysis