time to exit the denial phase, guys.
Sorry, I've a bit of a rant to get through here, having worked in precisely this field, and found very little acknowledgement of the longer term risks. This is not unexpected, newcomers to the field will always underestimate both the efforts and the rewards of exploiting weak computers.
The point is that you only need one clever guy to crack the system, and his exploit can then be packaged and sold to all and sundry.
The "reward potential" for a car is quite high, a sophisticated infotainment system will have all manner of passwords and accounts, phone numbers, possibly NFC (near field comms) e-payment details. This is not to mention any scam exploits - like putting a bogus, urgent fault on the car that directs you to the nearest "friendly" garage, where you are relieved of some money.
At the moment the industry is in the denial phase, it looks like too much effort, on too variable a platform. Good points both of them, cost and risk vs reward are the fundamentals of "the crime equation", but they are on a collision trajectory, costs will fall and rewards will rise.
I was a little disconcerted by The Reg's uncharacteristically poorly informed opinion:
"interesting exercise by F-Secure a few years back singularly failed to infect a car via Bluetooth and we've not seen anything since to suggest that this has changed, even with advances in the sophistication of technology that might make such a scenario more feasible"
I would recommend reading: http://www.autosec.org/pubs/cars-usenixsec2011.pdf
Wherein the following passage appears:"We next assess whether an attacker can remotely exploit the Bluetooth vulnerability without access to a paired device. Our experimental analyses found that a determined attacker can do so, albeit in exchange for a significant effort in development time and an extended period of proximity to the vehicle.
They go on to describe in detail what can be done, today. Read on....