Using an app on my phone to start my car and warm it up ten minutes before leaving on a cold morning feels like living in the future, and I absolutely love it. But connecting everything to the internet introduces significant risks, as security researchers recently demonstrated.

A team of four researchers found a way to remotely hack into almost every Kia model from recent years using just a mobile connection. They developed an app that could scan the license plate of any car equipped with Kia Connect and gain almost complete remote control over it.

The tool is compatible with Kia models going back to 2014, with newer vehicles offering even more capabilities. On the latest models, for example, the app could track the car’s location via GPS, start or stop the engine, lock or unlock the doors, activate lights and horns, and even access the car’s 360-degree cameras.

Even more troubling, the app exposed personal information about the car owner, including their name, email, Kia Connect password, phone number, and physical address.

These remote capabilities were accessible through the tool even if the car owner wasn’t actively subscribed to Kia Connect. The only function the app couldn’t bypass was the car’s “immobilizer” system, which prevents the vehicle from being driven away without a key. However, others have been able to circumvent these systems as well.

Before you panic, know that Sam Curry and his team reported the vulnerability to Kia in June, and the issue was resolved by August—well before the Wired article was published. The team tested their proof-of-concept on cars belonging to friends and family, as well as inactive vehicles at rental agencies and dealerships. The tool was never used to endanger real people, and the vulnerability has been patched as far as the researchers and Kia can confirm.

Still, Curry’s public write-up of the hack shows how surprisingly straightforward it was. While the average person couldn’t pull this off, someone with basic computer science knowledge could exploit these systems. This vulnerability was found in the technology used by a company that sells millions of cars worldwide, and many new cars today use similar systems that have already been compromised in similar ways.

In a Wired interview, Curry painted a disturbing picture: “If someone cut you off in traffic, you could scan their license plate and know their location anytime, break into their car, and potentially stalk them.”

These are risks that most car buyers aren’t aware of and don’t know how to defend against. The responsibility for protecting the car and its owner falls on the manufacturer, and in this case, it seems they failed to meet that responsibility.