Some security researchers from UCSD showed a proof of concept exploit via one of the dongles that appears to be also used by car insurance companies to monitor your driving "to give you discounts for good driving". I'm not really a fully paid up subscriber of the tin foil hat brigade but stuff like this makes me glad that I'm still opting for the old-fashioned way of paying for car insurance. Of course the fact that over half our fleet is too old to be OBD-II compliant may have some bearing on that as well...
Not knowing much about CAN bus, my assumption is that in order to get access to certain pieces of data, the dongle will have to put commands on the bus and read the responses. That part is blindingly obvious. Good security practices however would suggest that such a dongle would have a built-in mechanism that restricts the commands it can issue to the set of commands it actually needs to issue to fulfill its function rather than just allowing commands through unfiltered, especially if said dongle is connected to the outside world. I mean, with the ability to issue arbitrary commands to a pile of steel weighing a couple of tons and potentially moving at 70-80 miles per hour, what could possibly go wrong?
On the other hand, instead of having to invent one of those EMP devices as "showcased" in Fast & Furious to stop a street racer, all law enforcement has to do is to send the car an appropriate (or rather, inappropriate) text message.
If anybody needs me, I'm over on Hemmings.com looking for a Ford model A. Try texting that one to stop.