Io.net Reacts to GPU Metadata Attack

On April 28, the founder of Io.net hosted a livestream to demonstrate live cluster building and alleviate fear, confusion, and doubt.

Io.net, a decentralized physical infrastructure network (DePIN), recently suffered a cybersecurity incident. Malicious users used exposed user ID tokens to perform a system query language (SQL) injection attack, resulting in unauthorized device metadata modifications inside the graphics processing unit (GPU) network. 

Husky.io, Io.net’s chief security officer, quickly responded with corrective steps and security modifications to safeguard the network. Fortunately, the assault did not compromise the GPU’s hardware, which is still secure thanks to strong permission layers. 

The breach was discovered amid a surge in write operations to the GPU metadata application programming interface (API), resulting in alerts at 1:05 a.m. Pacific Standard Time on April 25. 

In response, security measures were strengthened by adding SQL injection checks to APIs and improving monitoring of unauthorized attempts. In addition, a user-specific authentication solution based on Auth0 and OKTA was quickly deployed to address vulnerabilities in universal authorization tokens.

Unfortunately, this security update coincided with a snapshot of the rewards program, aggravating a predicted drop in supply-side participation. As a result, valid GPUs that did not restart and upgrade could not access the uptime API, causing a dramatic decline in active GPU connections from 600,000 to 10,000.

Ignition Rewards Season 2 was launched in May to address these difficulties and encourage supply-side engagement. Ongoing efforts include working with vendors to upgrade, restart, and reconnect equipment to the network. 

The leak resulted from flaws discovered when creating a proof-of-work system for detecting counterfeit GPUs. Before the event, aggressive security patches increased attack tactics, demanding ongoing security studies and enhancements.

The attackers used a vulnerability in an API to display items in the input/output explorer, mistakenly revealing user IDs when searching for device IDs. Malicious attackers gathered this exposed information into a database weeks before the incident. 

The attackers used a legitimate universal authentication token to get access to the “worker-API,” which allowed them to update device metadata without the need for user authentication. 

Husky.io underlined the importance of continuing detailed assessments and penetration tests on public endpoints to discover and neutralize attacks early on.

Despite the issues, efforts are being made to encourage supply-side involvement and restore network connections, guaranteeing the platform’s integrity while servicing tens of thousands of compute hours monthly. 

Io.net intended to integrate Apple silicon chip hardware in March to improve its artificial intelligence and machine learning capabilities.