They implemented a CAN bus analyzer called CarShark and then fuzzed the protocols to find other attack vectors with significant results.
The paper:
Experimental Security Analysis of a Modern Automobile (Or here)
K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, S. Savage. The IEEE Symposium on Security and Privacy, Oakland, CA, May 16-19, 2010.
They posted their Frequently Asked Questions on the paper.
While they used the OBD-II port (implying physical access was required) there are numerous wireless interfaces (such as CANRF) on board for entertainment, remote diagnostics and other features that interface with the on board network. Wireless interfaces include Bluetooth, Wifi, custom RF interfaces such as those for tire pressure, GM's Onstar system, one-way interfaces such as radio (particularly HD-radio) and Sirius and others.
Some web posts on the topic (from Stephen Northcutt):
- Popular Science
- PC World
- Individual's web page describing CAN
- Commercial site selling CAN products with Wireless CAN info.
- CANRF device