A U.K. security firm hacked into a Mitsubishi Outlander plug-in hybrid electric vehicle after finding a vulnerability that let the researchers take control of the car’s functions and even turn off the alarm system.
The Pen Test Partners security firm was able to exploit a loophole in a mobile app that lets drivers communicate with their vehicles through their smartphones, highlighting how vulnerable cars equipped with Wi-Fi Internet connection can be to hackers.
Ken Munro, a security expert at Pen Test Partners who led the investigation, bought the plug-in electric hybrid after noticing a mobile app designed to give owners of the Outlander access to certain functions of the car used an unusual method to wirelessly connect to the SUV. The 2017 Mitsubishi Outlander PHEV made its U.S. debut in March at the 2016 New York International Auto Show and is expected to go on sale in the U.S. later this year.
Pen Test Partners said it had been mostly ignored Mitsubishi after it had contacted the Japanese automaker about the vulnerability. In response, the security company made its discovery public this week.
Since then, Pen Test Partners said Mitsubishi has been responsive and is now “taking the issue very seriously at the highest levels.”
As Munro explains in a blog post and video, most car apps that let users remotely locate and unlock cars connect through a web-based service that uses GSM, the communication channel used in mobile phones. But instead, the Outlander PHEV uses a Wi-Fi access point inside the vehicle to connect with a smartphone.
Users must disconnect from all other Wi-Fi networks and connect to this specific access point to gain control of the car functions. Security loophole aside, this system isn’t ideal because drivers can only communicate with their car when within Wi-Fi range.
Get Data Sheet, Fortune’s daily newsletter about technology.
Researchers also found that GSM was less secure that what other automakers use. For example, the car’s Wi-Fi passcode is written on a piece of paper in the owner’s manual, the firm said in a blog post, noting the format is too simple and short. The company said it was able to hack into the car in less than four days in addition to finding where the car is located, described in the video below.
[youtube https://www.youtube.com/watch?v=NSioTiaX_-Q]
From there, the security experts quickly figured out how to turn the SUV’s lights on and off, disrupt charging of the electric battery, adjust the air conditioning and heating, and disable the car alarm.
Pen Test Partners says users should disable the app and disconnect it from the car owner’s smartphone. The company also says Mitsubishi should immediately upgrade the software and use the more secure GSM module to connect to the car app.
The Mitsubishi hack is the latest in a string of security vulnerabilities found by researchers in cars. Hackers have multiple ways to gain access remotely, as demonstrated last year by two security experts who took control of a Jeep Cherokee from miles away by exploiting the car’s software. In March, the FBI and U.S. National Highway Traffic Safety Administration issued a bulletin warning that motor vehicles are “increasingly vulnerable” to hacking.
