The currently known attack requires physical access to the diagnostic port. It may be possible in the future to devise a variant on that attack that can be performed remotely, perhaps by compromising something (the radio, the driver’s cell phone, an Internet of Things device) that has a legitimate reason to be connected to other devices.
