Bluetooth (depending how they implement pairing), CD and synced Android device sound like viable attack vectors. None of them are instant remote control with no action by the owner, but they're all quite usable.
Bluetooth: If it makes you enter a code displayed on the other device to pair, that's more secure. But if the car just displays something like "$DEVICENAME Do you want to pair with this device? [Yes] [No]", it's not really. Either someone will habitually click yes, or can be enticed to through careful choice of the device name.
CD: Pretty straightforward. Hand your enemy a CD when he's about to get into his car. Tell him it's a song, lecture or whatever you wanted him to listen to. CD goes in, malicious file does its thing, car crashes. Sure you could sabotage the car itself, but what car crash investigator is going to think to check the CD that was playing for custom-made viruses?
Paired Android device: Similar deal, but even better. Trick them into installing an app modified to contain malware. They'll have their app and be none the wiser. The malware lets you see when and where he's driving (GPS+accelerometer), and you can then interactively take control of the car when you please. Better still, the malware could erase itself from the phone just after the crash, so even if they think to check for that sort of thing, there will be nothing to find.