Just in time for Halloween, a growing hacked device botnet named "Reaper" could put the internet in the dark.
Over a million internet-connected cameras and routers have already been infected, researchers with the Israeli-based firm Check Point says — and the number is growing.
"Our research suggests we are now experiencing the calm before an even more powerful storm," they warned last week. "The next cyber hurricane is about to come."
"Botnets" consist of vast networks of thousands and even millions of computers that have been infected with malware, enslaving them to do someone else's bidding. They can be commanded — usually without their owners' knowledge — to provide the raw computing power to take down websites and launch further cyberattacks.
Last fall, chunks of the internet went offline for hours when a botnet of hacked cameras called "Mirai" was used to launch a "distributed denial of service" or DDoS attack on a major internet infrastructure provider. Sites like the New York Times, Twitter, and Netflix were unreachable via their web addresses for several hours.
Now "Reaper" could make that botnet look like child's play.
"It's a very big deal," Avivah Litan, an analyst at Gartner, told NBC News.
Worse than last year's massive attack
The botnet spreads from hacked device to hacked device, sneaking in via known security vulnerabilities, according to an analysis by Chinese researchers at 360 netlab. The at-risk devices include several webcams and routers, including those by popular makers such as Linksys, Netgear, and dlink, none of whom provided a comment to NBC News in time for publication.
This is different from the attack last fall, which only used weak and default passwords to get into devices. It could easily be wiped just by rebooting the device. But the new botnet has automated basic hacking techniques in order to spread further. And by using known exploits it can get in and spread without raising any alarms.
"The potential here is even bigger than what Mirai had," Maya Horowitz, the manager of Check Point's research team, told Wired magazine. "With this version it's much easier to recruit into this army of devices."
So far, researchers say the botnet is in its early "recruitment" and infection stage, focusing on amassing its army of zombie slave devices. No one knows what it might be used for. And it's possible it could fizzle out without being used for anything at all, as some previous botnets have.
They also caution that the botnet has already lost one of its key advantages: staying covert,
"Their methods, servers and resources are exposed and this gives the world a fighting chance to stop the threat before it can be used for attacks," Pascal Geenens, an expert with cybersecurity firm Radware wrote NBC News in an email.
And while its gathering force is a cause for concern, once it gets used for a specific purpose it shouldn't take more than a few hours to shut down its rogue traffic, experts say.
"Having a big fat internet hate cannon is neat, and it's hard to stop for a time, but it's a bit of a one-trick pony so people will just cut them off the internet eventually," an independent security analyst told NBC News. "The way these exploits appear to work, a firmware upgrade should in theory fix the problem."
According to a recent PwC survey, 55 percent of consumers believe the biggest security and privacy threat comes from internet of things devices, and 25 percent "see their growing reliance on technology as one of the top threats facing humanity over the next 50 years." Now the question is if they'll do anything about it.
"I'm assuming there will be a botnet outbreak at any moment," Shawn Burke, chief security officer at Sungard AS, told NBC News. "This is more about prevention instead of detection. First and foremost, consumers and organizations must be current with updates to avoid exploitation of hardware/software vulnerabilities."
In a warning released six days before the Check Point report, the FBI recommends consumers and businesses check to make sure their "internet of things" connected devices have their default usernames and passwords changed and that all security patches are updated.