Pen Test Partners found vulnerabilities in aftermarket car alarms which allowed them to hack and hijack cars in a matter of moments.

Pen Test Partners tested two alarms, one from Pandora Car Alarm Systems and the other Viper. The former said it uses uses 2.4 GHz radio frequencies to transport  encrypted messaging, among other features, according to a Pen Test March 7 post. Viper, known as Clifford alarms in the U.K., claims to prevent carjacking, key theft, and key cloning, and between the two brands, leave nearly 3 million vehicles at risk of theft.

Pen Test wrote the alarm’s vulnerabilities it took advantage of are insecure direct object references (IDORs) in the API. This was done by tampering with parameters, one can update the email address registered to the account without authentication, send a password reset to the modified address (i.e. the attacker’s) and take over the account, the company wrote.

In addition to grand theft auto, the vulnerability allows an attacker to see the cars location in real time, identify the vehicle type so precious time can be allocated to more lucrative vehicles, lock and unlock, as well as start and stop the vehicle on command to ultimately take control of the vehicle.

Some alarms even allowed attackers to activate a vehicles in cabin microphone allowing them to snoop on unsuspecting victims

The vendors told researchers the vulnerabilities have been patched since they were reported to them which the researchers have yet to confirm. SC Media has attempted to reach both firms for comment but they have yet to respond.