I don't think 15 minutes is the limit of vulnerability discovery, I think it's the limit for the exploitation. I think it was weeks instead on months, time was really tight. I honestly can't remember whether they get the source code to work with.

If I remember rightly they test the CAN and all wireless signals. I think one of the things they were worried about is an owner re-flashing the on-board software and selling on the car as it might still be under warranty.

But of course now that the vehicles are both online and moving towards self-driving, the threat space is completely changing. I think we're approaching the days where a computer virus actually takes lives.

"from 10 years as a security consultant..." Out of interest what area do you consult in?