She’d recently flown back from a work trip and complained that her fingers had been painfully cold on her drive home from the airport, thanks to below-freezing winter weather and a circulatory system condition known as Raynaud’s disease.

So Jmaxxz had the idea to buy her a remote starter that would connected to her car’s dashboard and, with an accompanying device and app called Linkr, allow her to start the car's engine with a tap on her phone.

A security-minded software engineer for a company he declined to name, Jmaxxz wondered what sort of remote hacking he might have left his girlfriend’s car susceptible to.

"In the back of my head I kept thinking, what’s the risk of this system, I’m putting her car on the internet," he remembers.

In a talk at the Defcon hacker conference today in Las Vegas, Jmaxxz described a series of vulnerabilities in MyCar, a system made by Canadian company Automobility, whose software is rebranded and distributed under names including MyCar Kia, Visions MyCar, Carlink, and Linkr-LT1.

MyCar's devices and apps connect to radio-based remote start devices like Fortin, CodeAlarm, and Flashlogic, using GPS and a cellular connection to extend their range to anywhere with an internet connection.