"How? By doing a recall? Emailing users to update firmware? Or through an OTA update? Because none of those sound like great options..."
I'd guess none of the above.
What is described in the article is not a direct hack of the alarm on the car but of an API which allows account management and other features, allowing you to take over the users account and then control the alarm.
I very much doubt that changing the users email address is done via an API hosted on some kit in the car (Though given the scale of the f*ck ups involved I wont rule it out :) ).
So they managed to get access to the users account and from there they were able to sign into the app and control the alarm from there.
Same with the API for cruise control etc, its very unlikely that the end users app communicates directly with the car, rather it will send to a central service which (in theory) does the security checks before issuing the command to the car via some unpublished API (Probably even less secure because they assume no one knows about it!)
Biting the hand that feeds IT
