Io.net responds to GPU metadata attacks
Io.net Decentralized Physical Infrastructure Network (DePIN) recently suffered a cyber security breach. Malicious users used vulnerable user ID tokens to perform a System Query Language (SQL) injection attack, which made unauthorized changes to device metadata in the graphics processing unit (GPU) network.
Husky.io, Io.net's Chief Security Officer, responded quickly with security measures and security updates to protect the network. Fortunately, the attack did not compromise the actual hardware of the secure GPUs due to strong authorization layers.
The breach was discovered on April 25 at 1:05 a.m. Pacific Standard Time when a write operation to the GPU metadata application programming interface (API) was added, triggering alerts.
In response, security measures have been strengthened by implementing SQL injection checks on APIs and increasing unauthorized access attempts. In addition, a user-based authentication solution using Auth0 was rapidly deployed to address the weaknesses associated with global authorization tokens.
Unfortunately, this security update coincided with a snapshot of the rewards program, which exacerbated the drop in expectations for supply-side participants. Therefore, legitimate GPUs that had not been restarted or updated could not access the timing API, resulting in a significant drop from 600,000 to 10,000 active GPU connections.
To address these challenges, Ignition Rewards Season 2 launched in May to encourage supply-side engagement. Ongoing efforts include working with vendors to upgrade, reset, and reconnect devices to the network.
The breach came from vulnerabilities in implementing a proof-of-work mechanism to detect fake GPUs. Aggressive security patches prior to the incident led to a proliferation of attack methods, necessitating ongoing security assessments and updates.
RELATED: AI Has a Hardware Crisis: Here's How Decentralized Clouds Are Fixing It
The attackers exploited a vulnerability in the API to display content in the I/O browser, inadvertently revealing user IDs when searching by device IDs. Malicious actors stored this leaked information into databases weeks before the breach.
The attackers used a valid universal authentication token to access the worker-API, enabling changes to device metadata without requiring user-level authentication.
Husky.io emphasizes ongoing thorough assessments and penetration testing of public endpoints to identify and remove threats early. Despite the challenges, efforts are being made to encourage supply-side engagement and restore network connections by handling tens of thousands of compute hours each month.
Io.net plans to integrate Apple's silicon chip hardware in March to boost its artificial intelligence and machine learning services.
Magazine: Real AI use cases in crypto: Crypto-based AI markets and AI financial analysis