Two security researchers from iSec Partners have shown at the Black Hat security conference in Las Vegas they can unlock a Subaru Outback and actually start the engine - all remotely.
Using an Android phone and a technique they've dubbed 'war texting', Don Bailey and Matthew Solnik exploited two unnamed remote control products designed to allow cars to be locked and unlocked.
After setting up their own GSM network, they were able to intercept the password authentication messages between the server and the car. It took them just a couple of hours, they say.
And the pair says their technique could be used to attack many other systems, such as traffic control systems and security cameras, which receive firmware updates via text messages. More worryingly, it could also be used to attack SCADA sensors, and thus industrial systems, the power grid and water supply.
"I could care less if I could unlock a car door. It's cool. It's sexy," Bailey told CNN. "But the same system is used to control phone, power, traffic systems. I think that's the real threat."
The pair won't go into detail about the hack, or say which cars are vulnerable, until the manufacturers have had a chance to put things right. But General Motors, BMW and Mercedes all offer similar remote-control apps.
It's not the first time that security researchers have played around at controlling cars remotely. In May last year, a team from the University of Washington exploited a diagnostic computer system known as the Controller Area Network to operate cars' locks remotely and disable their brakes.