My understanding of the original hack is that the root of the hack is a flaw in the existing platform validation. In particular that the random seed is set from the clock [not a bad practice in itself] and the clock is activated the first time the car is fired up [a somewhat problematic, since an attacker can be assumed to have the vehicle date via the VIN]. However, it's not even that hard since the first time the vehicle is fired up, the clock is at it's default time and date, and this narrows down the seeds to the range of potential latencies between the clock coming on line and the generation of the entropy pool.
In other words, the USB key can't use stronger crypto than vehicle and that crypto is poorly implemented [again, based on my understanding of the original hack].
