This isn't magic or even something new. Basic physics and engineering, it's the application that is new. Generally, it should be considered a design flaw of the system.
Easy Answer:
Neither the car nor the fob is being hacked, they're working exactly as designed. While different manufacturers have slight variations in their designs, the key problem is that some/all manufacturers didn't do anything smart to ensure the fob is actually near the car. Rather they relied on the propagation of electromagnetic (EM) radiation and assume that if they get a signal, the fob is near the car. The problem is that how strong or weak an EM signal appears to be, isn't just a function of distance. This is why we build better/bigger/directional antennas or output more power in the signal or employ more advanced signal processing, etc. The stronger the signal appears, the further it can effectively propagate while still being intelligible and the longer range you will have. The physics aren't a hack per se, it's how we engineer practically any communications system.
All they are doing is setting up an amplified repeater. Boost the cars signal so it can reach the now distant fob and vice versa. The repeater doesn't have to actually hack anything in the signal, it just has to relay the signal at a high enough effective power and the two devices will talk as if they really are near to each other. Since simple implementations assume that if they get a usable signal, the fob must be near the car, the car responds as if the fob is. This isn't hard to do at all. Hackers have shown accessing Bluetooth at over a mile with a not much more than a Pringles can and some washers (creates a directional antenna which boosts the effective signal power). You can buy similar devices for your wifi at home.
Harder Answer
The EM propagates much further than you can actually pull out an intelligible signal. The signal needs to stand out enough from all the noise to be received and made intelligible; this is called Signal-to-Noise-Ratio (SNR). Outside of some very sophisticated signal processing, you need the signals power to well above the noise floor or else you won't be able to understand it. Consider a very noisy room, your normal indoor voice isn't intelligible at anything but very close ranges due to the increased noise in the room (aka noise floor). You end up yelling, getting very close or both in order to communicate. The same principle is at work when you get far apart even in quiet environments. The car and fob, while using EM, are actually working on the same idea. They put out very weak, low power signals (measured in dB) such that at anything more than a short distance, they can't communicate because the signal becomes unintelligible (there isn't enough SNR to pull out the messages). Just like you can yell in a noisy room, there are ways to boost the signal so that intelligible communications occur a a longer distance. What these thieves have done is put a middle man between the two so they can communicate. The middle man merely repeats what each says at higher effective power and voila, there's enough SNR to close the communications path!
Depending on the implementation, this is potentially fixable. However, what this really shows is that the car manufacturers have no idea what so ever about security best practices. This isn't a shock though. This lack of security knowledge permeates many industries. A security expert was detained and question this week because he tweeted about being able to access the planes flight controls from the inflight wifi!
http://money.cnn.com/2015/04/17/technology/security/fbi-plane-hack/ The list goes on and on. The computer security field is light-years beyond most everyone else, but even then companies and individuals frequently ignore best practices. This is an absolute colossal engineering failure, which obviously has no regard for security. This is so basic, it's sad, it's incompetent.
Ways to potentially fix this (hardly inclusive):
1) Time of flight. If the implementation allows for a software update on the car to check time of flight, the car would know that the fob can't be close to it. You can't get around the fact that the signal propagates with a given velocity and even repeating it means the round trip time is too long. This is how GPS works, etc. However, given the speed involved, you need high precision clocks to measure the distances we're discussing here and I highly doubt anything but the GPS unit has such a clock. Alternatively, with multiple antennas you might be able to add triangulation estimates to the car/fob communication and reject this attack; this still works the same, but may remove the need for high-precision clocks.
2) Listen for the echo. Since the car puts out a signal to find the fob and the middle man repeats this signal exactly a short time later and at much higher power (remember the signal took time to travel from the car to the middle man), the car should be able listen for it's signal being repeated and ignore the fob. Of course, this would mean a such a device anywhere near your car effectively creates a Denial-of-Service attack. Unfortunately, there already will be many echoes and reflections of the cars original signal as it bounces around. However, the middle man should be at a much higher power...until they build a directional antenna.
I'm sure there are more, but if any particular manufacturer's design permits it is entirely unknown. If computer security is any indication, the best solution is multiple, redundant checks. Given the margins involved, I suspect they might not be able to fix it at all with out changing the design; everything been simplified as much as possible and there simply isn't any that wasn't essential to the flawed design.
Don't Panic
Don't freak though, the locks on nearly all of our houses are terrible too. Anyone with a basic skill set can pick them almost as fast as you can open it with the "key." Most security is for theater purposes only...it keeps honest people out, nothing more. Your real security posture hasn't changed much if any at all.
