With this year’s approaching holiday gift season the rapidly growing “Internet of Things” or IoT—which was exploited to help shut down parts of the Web this past Friday—is about to get a lot bigger, and fast. Christmas and Hanukkah wish lists are sure to be filled with smartwatches, fitness trackers, home-monitoring cameras and other wi-fi–connected gadgets that connect to the internet to upload photos, videos and workout details to the cloud. Unfortunately these devices are also vulnerable to viruses and other malicious software (malware) that can be used to turn them into virtual weapons without their owners’ consent or knowledge.

Last week’s distributed denial of service (DDoS) attacks—in which tens of millions of hacked devices were exploited to jam and take down internet computer servers—is an ominous sign for the Internet of Things. A DDoS is a cyber attack in which large numbers of devices are programmed to request access to the same Web site at the same time, creating data traffic bottlenecks that cut off access to the site. In this case the still-unknown attackers used malware known as “Mirai” to hack into devices whose passwords they could guess, because the owners either could not or did not change the devices’ default passwords.

The IoT is a vast and growing virtual universe that includes automobiles, medical devices, industrial systems and a growing number of consumer electronics devices. These include video game consoles, smart speakers such as the Amazon Echo and connected thermostats like the Nest, not to mention the smart home hubs and network routers that connect those devices to the internet and one another. Technology items have accounted for more than 73 percent of holiday gift spending in the U.S. each year for the past 15 years, according to the Consumer Technology Association. This year the CTA expects about 170 million people to buy presents that contribute to the IoT, and research and consulting firm Gartner predicts these networks will grow to encompass 50 billion devices worldwide by 2020. With Black Friday less than one month away it is unlikely makers of these devices will be able to patch the security flaws that opened the door to last week’s attack.

Before the IoT attack that temporarily paralyzed the internet across much of the Northeast and other broad patches of the U.S. last week, there had been hints that such a large assault was imminent. In September a network, or “botnet,” of Mirai-infected IoT devices launched a DDoS that took down the KrebsOnSecurity.com Web site run by investigative cybersecurity journalist Brian Krebs. A few weeks later someone published the source code for Mirai openly on the Internet for anyone to use. Within days Mirai was at the heart of last week’s attacks against U.S. Dynamic Network Services, or Dyn, a domain name system (DNS) service provider. Dyn’s computer servers act like an internet switchboard by translating a Web site address into its corresponding internet protocol (IP) address. A Web browser needs that IP address to find and connect to the server hosting that site’s content.

Friday’s attacks kept the Sony PlayStation Network, Twitter, GitHub and Spotify’s Web teams busy most of the day but had little impact on the owners of the devices hijacked to launch the attacks. Most of the people whose cameras and other digital devices were involved will never know, said Matthew Cook, a co-founder of Panopticon Laboratories, a company that specializes in developing cybersecurity for online games. Cook was speaking on a panel at a cybersecurity conference in New York City on Monday.

But consumers will likely start paying more attention when they realize that someone could spy on them by hacking into their home’s Web cameras, said another conference speaker, Andrew Lee, CEO of security software maker ESET North America. An attacker could use a Web camera to learn occupants’ daily routines—and thus know when no one is home—or even to record passwords as they are typed them into computers or mobile devices, Lee added.

The IoT is expanding faster than device makers’ interest in cybersecurity. In a report released Monday by the National Cyber Security Alliance and ESET, only half of the 15,527 consumers surveyed said that concerns about the cybersecurity of an IoT device have discouraged them from buying one. Slightly more than half of those surveyed said they own up to three devices—in addition to their computers and smartphones—that connect to their home routers, with another 22 percent having between four and 10 additional connected devices. Yet 43 percent of respondents reported either not having changed their default router passwords or not being sure if they had. Also, some devices’ passwords are difficult to change and others have permanent passwords coded in.

With little time for makers of connected devices to fix security problems before the holidays, numerous cybersecurity researchers recommend consumers at the very least make sure their home internet routers are protected by a secure password.