Re: Pretty likely how they attacked
"That sort of diagnostics should only be possible by plugging something via the OBD2 port."
It's not the same as the diagnostics when you bring your car in to be serviced.
I mean diagnostics that Tesla developers might in their app to test remote functionality like keyless entry, summon etc. The in-house build probably has a page with diagnostics, commands to hit the brakes and other stuff that a dev might need to test features in the car already or features they're in the process of adding. There must even be an API of sorts since there are 3rd party apps like Remote S can control the car remotely.
I agree they've screwed up big time. I expect the fault probably lies in the authentication layer, allowing replay attacks or suchlike. But Tesla should also disable certain commands from having any action when the car is in motion.
But yes Tesla have screwed up bigtime here.