Following an attempt to allay doubts, anxiety, and terror, the creator of Io.net will present a webcast on April 28.
Recently, there was a cybersecurity attack on Io.net, a decentralised physical infrastructure network (DePIN). The graphics processing unit (GPU) network experienced unauthorised changes to device metadata as a result of malicious users using exposed user ID tokens to launch a system query language (SQL) injection attack.
To safeguard the network, Husky.io, the chief security officer of Io.net, reacted quickly and implemented security updates. The actual hardware of the GPUs is safe since strong permission layers prevented the attack from compromising it.
Alarms were set off on April 25 at 1:05 a.m. Pacific Standard Time after the breach was discovered during a spike in write operations to the GPU metadata application programming interface (API).
As a result, APIs now have SQL injection checks in place, and the reporting of unwanted attempts has been improved. Furthermore, in order to address vulnerabilities associated with universal authorization tokens, a user-specific authentication solution utilising Auth0 with OKTA was quickly implemented.
Unfortunately, the rewards program’s snapshot and this security update came at the same time, which exacerbated an anticipated decline in supply-side participants. As a result, there was a large decrease in the number of active GPU connections from 600,000 to 10,000 since genuine GPUs that neglected to restart and update were unable to access the uptime API.
Ignition Rewards Season 2 was launched in May to promote supply-side participation in order to address these issues. Working with vendors to update, restart, and reconnect equipment to the network is one of the ongoing initiatives.
Vulnerabilities that were discovered during the implementation of a proof-of-work method to detect fake GPUs caused the compromise. Prior to the incident, aggressive security patching led to an increase in attack techniques, which called for ongoing security assessments and enhancements.
Through the usage of an API vulnerability, the attackers were able to display items in the input/output explorer and, when users searched by device IDs, unintentionally divulge user IDs. Weeks prior to the hack, malicious actors assembled this material from leaks into a database.
The attackers gained access to the “worker-API” by using a legitimate universal authentication token, which allowed them to modify device metadata without needing user-level authentication.
To identify and eliminate risks early, Husky.io stressed the importance of continuous, comprehensive assessments and penetration tests on public endpoints. In spite of obstacles, efforts are being made to guarantee the integrity of the platform while providing tens of thousands of compute hours per month by providing incentives for supply-side involvement and restoring network connections.
In March, Io.net intended to improve its machine learning and artificial intelligence services by integrating hardware based on Apple silicon chips.