|
Io.net, a decentralized infrastructure network (DePIN) for physical computing, recently experienced a network security vulnerability. Malicious actors exploited exposed user ID tokens to execute SQL injection attacks, leading to unauthorized changes in device metadata within the Graphics Processing Unit (GPU) network.
Husky.io, the Chief Security Officer of Io.net, promptly responded by implementing remediation measures and security upgrades to safeguard the network. Fortunately, the attack did not compromise the actual hardware of the GPUs, which remained secure due to robust permission layers.
The vulnerability was detected during a surge in write operations to the GPU metadata Application Programming Interface (API) and triggered an alert on April 25th, 1:05 AM Pacific Standard Time.
To address this, security measures were reinforced by implementing SQL injection checks on the API and enhancing logging for unauthorized attempts. Additionally, specific user authentication solutions using Auth0 and OKTA were swiftly deployed to address vulnerabilities associated with general authorization tokens.
Unfortunately, this security update coincided with the snapshot of the rewards program, exacerbating the anticipated decrease in participation from supply-side participants. Consequently, legitimate GPUs that were not restarted and updated could not access the API during regular operating hours, resulting in a significant drop in active GPU connections from 600,000 to 10,000.
In response to these challenges, Ignition Rewards Season 2 was launched in May to incentivize supply-side participation. Ongoing efforts include collaborating with vendors to upgrade, restart devices, and reconnect them to the network.
The leak stemmed from the implementation of a Proof of Work mechanism to identify counterfeit GPUs, introducing vulnerabilities. Proactive security patches prior to the incident prompted an upgrade in attack methodology, necessitating continuous security reviews and improvements.
Attackers exploited vulnerabilities in the API to display content in the input/output browser, inadvertently leaking user IDs when searching by device ID. Malicious actors compiled this leaked information into a database in the weeks leading up to the leak event.
Attackers used valid general authentication tokens to access the "worker-API," altering device metadata without user-level authentication. Husky.io emphasizes continuous thorough reviews and penetration testing of public endpoints to detect and eliminate threats early. Despite challenges, efforts are underway to incentivize supply-side participation and restore network connectivity, ensuring the platform's integrity while providing tens of thousands of compute hours of service monthly.
Io.net plans to integrate Apple Silicon hardware in March to enhance its artificial intelligence and machine learning services. |
|