We published a report recently at the NHTSA's Enhanced Safety of Vehicles (ESV) conference that surveys many recent electrical/electronics (E/E) problems. Software defects fall into electrical/electronic systems in the ISO 26262 lingo. This includes a statistical analysis of recalls (classifying into those due to E/E problems) and ancedotes of many software defects resulting in recalls, including several examples of unintended braking, unintended acceleration, etc.: A Survey of Electrical and Electronic (E/E) Notifications for Motor Vehicles (PDF warning)

While writing this, we found a nice overview from Dr. Dobbs that's still fun to read: But I Never Did That Before!.

The Dr. Dobbs overview has a related recall from about 2 decades ago, where a car would not let occupants leave the vehicle:
"BMW 535i 1994: The double-lock feature can engage with occupants and the door/ignition key inside the vehicle. The occupants of the vehicle would be unable to exit either from the doors or from the windows of the vehicle. Drive-away protection would prevent the engine from starting. Dealers will replace the general control module with one containing the revised software to permit window opening with the double-lock engaged and key in the ignition."

Was making the exact same post as parent. Many people are thinking about privacy in vehicular networks. For example, most systems for aggregating data from cars for showing traffic speed anonymize the data in various ways to try to protect privacy. Here are some details:

A project at the University of Illinois preserves privacy when reconstructing global maps based on data collected from cars: http://www.springerlink.com/content/h545111k4g217374/

Abstract: "The proliferation of sensors in devices of frequent use, such as mobile phones, offers unprecedented opportunities for forming self-selected communities around shared sensory data pools that enable community specific applications of mutual interest. Such applications have recently been termed participatory sensing. An important category of participatory sensing applications is one that construct maps of different phenomena (e.g., traffic speed, pollution) using vehicular participatory sensing. An example is sharing data from GPS-enabled cell-phones to map traffic or noise patterns. Concerns with data privacy are a key impediment to the proliferation of such applications. This paper presents theoretical foundations, a system implementation, and an experimental evaluation of a perturbation-based mechanism for ensuring privacy of location-tagged participatory sensing data while allowing correct reconstruction of community statistics of interest (computed from shared perturbed data). The system is applied to construct accurate traffic speed maps in a small campus town from shared GPS data of participating vehicles, where the individual vehicles are allowed to “lie” about their actual location and speed at all times. An extensive evaluation demonstrates the efficacy of the approach in concealing multi-dimensional, correlated, time-series data while allowing for accurate reconstruction of spatial statistics."

The Mobile Millennium project ( http://traffic.berkeley.edu/ ) from Berkeley uses "virtual trip lines": http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=5871633

Abstract: "Traffic monitoring using probe vehicles with GPS receivers promises significant improvements in cost, coverage, and accuracy over dedicated infrastructure systems. Current approaches, however, raise privacy concerns because they require participants to reveal their positions to an external traffic monitoring server. To address this challenge, we describe a system based on virtual trip lines and an associated cloaking technique, followed by another system design in which we relax the privacy requirements to maximize the accuracy of real-time traffic estimation. We introduce virtual trip lines which are geographic markers that indicate where vehicles should provide speed updates. These markers are placed to avoid specific privacy sensitive locations. They also allow aggregating and cloaking several location updates based on trip line identifiers, without knowing the actual geographic locations of these trip lines. Thus, they facilitate the design of a distributed architecture, in which no single entity has a complete knowledge of probe identities and fine-grained location information. We have implemented the system with GPS smartphone clients and conducted a controlled experiment with 100 phone-equipped drivers circling a highway segment, which was later extended into a year-long public deployment."