Hackers can steal your car—and a lot more—through your phone.
An often-asserted downside of internet-connected vehicles is that they’re subject to various forms of hacking, including theft. On Wednesday, a Norwegian security company called Promon claimed to have found something like the Holy Grail of vehicle hacking—by compromising a Tesla owner’s Android phone, they could take control of Tesla’s mobile app and steal the car.
The hack relies on tricking a Tesla owner into downloading a malicious app, for instance through a spoofed public Wi-Fi hotspot that would direct them to a deceptive Google Play download. That app could then escalate permissions on the owner’s phone and corrupt the Tesla app. Attackers could then, according to Promon, communicate with the Tesla server to issue remote commands including locating the victim’s car, opening its doors, and enabling keyless driving.
Get Data Sheet, Fortune’s technology newsletter.
There are a few caveats. The specific exploit used by Promon only works on Android versions 5.1 or older—that is, phones that haven’t been updated in nearly two years. More to the point, Promon acknowledged in a followup note that “this attack is not Tesla specific, and in generalized form can be used against any app”.
Promon does point out that an authorization token used by the Tesla app was unencrypted, making the hack easier, and that a few extra measures could have protected the app even after the phone was compromised. But at bottom, the flaw highlighted by Promon was in an outdated version of Android, not in the Tesla app itself. Choosing Tesla as a target was just savvy marketing by a company selling app security tools.
What’s not clear is whether that should make anyone feel better. Moralizing experts can scold users to keep their OS updated and not click on bad links. But in the real world, around 20% of Android devices still run 2012’s Jelly Bean, largely because hardware manufacturers don’t maintain device support. And hacking through deception (“social engineering”) will probably never die—by definition, half of all people are below average at spotting scams.
For more on hacking, watch our video.
The consequences of phone hacking will get more severe as remote-control apps become more common in the Internet of Things, making it possible for both owners and hackers to control everything from cars to home locks to desktop computers. Tesla itself, alongside its recent introduction of autonomy features, has said owners will someday be able to summon their cars from across the country using their phones. Some of those phones will, simply according to the law of averages, be compromised.
Of course, connection has its benefits, too. Tesla vehicles send real-time location data to owners’ apps, which last year helped a Vancouver couple relocate their stolen S 85D. Promon’s app hack doesn’t involve shutting down the car’s GPS feed, so even if a thief were to pull it off, they might not keep their prize for long.