Io.net, a decentralized physical infrastructure network (DePIN), recently faced a cybersecurity breach. The breach occurred when malicious users utilized exposed user ID tokens to carry out a system query language (SQL) injection attack. This attack led to unauthorized modifications in the device metadata within the graphics processing unit (GPU) network. Husky.io, the chief security officer of Io.net, responded swiftly to the breach by implementing remedial actions and security upgrades to safeguard the network. Luckily, the attack did not compromise the actual hardware of the GPUs, as they have robust permission layers in place.
The breach was detected during a surge in write operations to the GPU metadata API. This triggered alerts at 1:05 am PST on April 25. In response, additional security measures were implemented, including the incorporation of SQL injection checks on application program interfaces (APIs) and improved logging of unauthorized attempts. A user-specific authentication solution using Auth0 with OKTA was promptly deployed to address vulnerabilities related to universal authorization tokens.
Unfortunately, this security update coincided with a snapshot of the rewards program, which resulted in an anticipated decrease in supply-side participants. As a consequence, legitimate GPUs that were not restarted and updated were unable to access the uptime API, causing a significant decline in active GPU connections from 600,000 to 10,000. To address this issue, Ignition Rewards Season 2 was launched in May to incentivize supply-side participation. Ongoing efforts involve collaboration with suppliers to upgrade, restart, and reconnect devices to the network.
The breach originated from vulnerabilities that were introduced during the implementation of a proof-of-work (PoW) mechanism designed to identify counterfeit GPUs. The installation of aggressive security patches prior to the incident prompted attackers to escalate their methods, necessitating continuous security reviews and enhancements. The attackers took advantage of a vulnerability in an API that allowed content to be displayed in the input/output explorer. This inadvertently exposed user IDs when searching by device IDs. The attackers compiled this leaked information into a database weeks before the breach occurred. They were then able to exploit a valid universal authentication token to access the ‘worker-API’, enabling changes to device metadata without the need for user-level authentication.
Husky.io emphasized the importance of ongoing comprehensive reviews and penetration tests on public endpoints to identify and eliminate threats at an early stage. Despite the challenges faced, efforts are being made to incentivize supply-side participation and restore network connections. This is crucial to maintain the integrity of the platform as it serves tens of thousands of compute hours per month. In fact, Io.net had plans to integrate Apple silicon chip hardware in March as a means of enhancing its artificial intelligence (AI) and machine learning (ML) services.
It’s unfortunate that the security update affected the supply-side participants, but glad to see Ignition Rewards Season 2 to incentivize participation.
Addressing vulnerabilities and implementing security upgrades show Io.net’s commitment to providing a safe platform.
Attackers will always find new ways, but Io.net’s dedication to security will keep them at bay.
The breach shows a clear lack of attention to detail during the implementation of the proof-of-work mechanism. Io.net should have been more diligent in identifying and addressing vulnerabilities.
Kudos to Husky.io for their swift response and remedial actions! The network is in safe hands!
What is the point of having a chief security officer if they can’t prevent cybersecurity breaches like this? Husky.io should be held accountable for this failure. 👎
Io.net, keep up the great work in serving tens of thousands of compute hours per month! Your platform is invaluable for many!
Collaborating with suppliers and reconnecting devices will help strengthen the network’s integrity. Way to go, Io.net!