First of all, what is car hacking and how does it typically occur?

Car hacking can be defined as unauthorised access to a car via electronic means, and the subsequent theft or control usually without the owner's knowledge. Car hacking normally happens by gaining access to the car's electronic systems either through the onboard systems or remotely via the owner's app or manufacturer's car monitoring and control system. The techniques vary and some are more difficult than others. 

How close, physically, does a hacker have to be and what access do they need?

A hacker does not need to be physically close to the car and infact could be anywhere in the world. If the hack is performed by breaking into a car owner's app, the hacker just needs to be connected to the internet. This is very similar to how computer hacking occurs. The hackers are often in parts of the world where the legal jurisdiction either does not investigate hacking incidents or there is no way for criminals to be prosecuted across country borders. 

How does the modern car, with its wireless systems and IoT capabilities, make it more vulnerable to attack?

Modern cars should be considered as highly sophisticated mobile computers. Based on the evidence of the most recent car hacks, the fundamental problem seems to be that car manufacturers are not following and using well known secure application design, development and testing methodologies. On the other hand, the physical safety and security of cars is a well understood subject, and the car manufacturers should probably take a leaf out of their own book, and apply it to cyber security. 

What exactly can be hacked in a modern car? Engine, air con, lights, alarms, stereo. Basically, what’s would be easiest?

Given that today's cars are highly sophisticated and powerful compute devices, almost any part of the car could be hacked if the criminals were willing to undertake the necessary research. However they will most likely aim for the easiest and most profitable weaknesses. This will change over time. 

What can buyers do to reduce the risk?

Car owners should apply the same rules that they follow, or should be following, for their computers and smartphones. Use hard to guess passwords, do not share passwords and do not give anyone access to your car app or portal account. There is not much they can do otherwise since the car manufacturers control the car systems. For the example, unlike a PC or laptop, you cannot install a firewall in your car, although ironically cars do have physical firewalls between the engine and the passenger compartment, to literally protect the passenger against an engine fire. 

What has to change in the industry?

The car industry has to start using secure application design, development and testing methodologies. Some of the most recent hacks have been fairly basic in nature, and other areas of our connected world have long since moved past this point and are looking towards implementing sophisticated security controls, including biometrics and voice recognition.