Because they literally opened up the dashboard and physically connected the hardware (laptop) inside the car, critics like to downplay the demo by saying that it isn't really "hacking" after all.
According to the BBC report, a spokesman for Toyota said:
Altered control can only be made when the device is connected. After it is disconnected, the car functions normally. We don't consider that to be 'hacking' in the sense of creating unexpected behavior, because the device must be connected -- i.e., the control system of the car physically altered.
This is a quibble that comes close to missing the whole point.
As the Washington/Cal-San Diego team has shown, it's possible for code resident in some components of an automobile to control critical systems in a car. Their research also showed that such malicious code might be injected by an attacker with physical access to the vehicle, or even remotely -- over Bluetooth or the telematics unit.
The difficulty for a hacker to attach hardware inside a car in the real world doesn't mean that the threats are unrealistic.
As Miller and Valasek wrote in their paper, the point is that "If an attacker (or even a corrupted ECU) can send CAN packets, these might affect the safety of the vehicle."
In fact, the goal of the research was to see what could be done when hackers gain access to the ECU network. It's irrelevant whether it's done locally or remotely; access to a single ECU provides access to the whole network, and gives the ability to inject commands, according to the two researchers.
The two researchers concluded:
The hope is that by releasing this information, everyone can have an open and informed discussion about this topic. With this information, individual researchers and consumers can propose ways to make ECUs safer in the presence of a hostile CAN network as ways to detect and stop CAN bus attacks. This will lead to safer and resilient vehicles in the future.