Five months after returning rental car, man still has remote control

  News
image_pdfimage_print
Closeup image of a hand holding a smartphone that is displaying a Ford app.
Enlarge / FordPass, offered by Ford Motor Company, is available for iOS and Android devices.

When Masamba Sinclair rented a Ford Expedition from Enterprise Rent-a-Car last May, he was excited to connect it to FordPass. The app allows drivers to use their phones to remotely start and stop the engine, lock and unlock the doors, and track the vehicle’s precise location.

“I enjoyed it and logged into FordPass to be able to access vehicle features from my phone such as locking, unlocking, and starting the engine,” Sinclair, who is 34, told me. “I liked the idea of it more than I found it useful. The UI does look good and work well, though.”

Putting the onus on customers

Now, Sinclair’s opinion of mobile apps in rental cars is decidedly less favorable. That’s because, five months after he returned the vehicle on May 31, his app continues to have control over the vehicle. Despite multiple other people renting the SUV in the intervening months, FordPass still allows Sinclair to track the location of the vehicle, lock and unlock it, and start or stop its engine. Sinclair has brought the matter to Ford’s attention, both through its website and multiple times
on Twitter. So far, Ford has done nothing to kill his access.

“All it took was me downloading the app and entering the VIN, then confirming connectivity through the infotainment system,” Sinclair said late last week. “There MIGHT be a way to disassociate my phone from the car itself, but that hasn’t happened yet, and it’s crazy to put the onus on renters to have to do that. I have had no problems at all and have even unlocked the doors and started the engine when I could see that the vehicle was in the Missoula airport rental car parking lot.”

Below are a video and image Sinclair took documenting his control of the vehicle. He took them last week and in June, respectively:

FordPass controls Enterprise rental for five months and counting
Screenshot of Sinclair's phone after he unlocked the door. He performed the unlock when the vehicle was parked at an airport.
Enlarge / Screenshot of Sinclair’s phone after he unlocked the door. He performed the unlock when the vehicle was parked at an airport.
Masamba Sinclair

Tracking a vehicle daily

FordPass is offered by the Ford Motor Company and is available for both iOS and Android devices. It is one of several apps for connecting to Ford vehicles. The less-than-intuitive means for unpairing a vehicle and phone—not to mention the difficulty in knowing a device remains connected—represent a serious security and privacy risk, not just to renters, but to people buying a vehicle second hand.

While Ford said infotainment screens will indicate when a device is paired, it’s obvious that multiple Enterprise employees and renters have continued to miss the warning. Even now, after I discussed the problem with both Enterprise and Ford representatives, Sinclair’s access still hasn’t been revoked.

“I have been opening the app and tracking the vehicle almost every day to see if my access is still there, and sure enough, I can see exactly where my old rental, affectionately named “The Beast,” is at any given moment,” Sinclair said. “This means that I can not only find this rental car whenever I want, but I can also unlock the doors and help myself to anything inside.”

Enterprise spokeswoman Lisa Martini wrote in an email:

Several years ago, we implemented employee training on best practices for clearing data as part of our standard vehicle cleaning procedures. Additionally, we have information in our privacy policy and rental agreements to remind customers to remove their data when returning a car. We also work closely with the various automotive manufacturers to ensure we update and enhance our procedures as needed in response to new features and technologies that are added to vehicles. To that end, we understand the concerns this specific situation has raised and are actively working with Ford to implement protocols for customers who attempt to enable this feature on a rental car using their personal account.

Renter beware

A copy of Sinclair’s rental agreement, however, shows that the reminder is vague and applies only to a customer returning a vehicle, who isn’t threatened by this security lapse. It doesn’t warn a customer upon renting. It states: “We are not responsible for any data that is left in the vehicle as a result of your use. We cannot guarantee the privacy or confidentiality of such information, and you must wipe it before you return the vehicle to us.”

I couldn’t find any language instructing a customer to ensure devices belonging to previous customers who are no longer connected. And in any event, the warning applies only to people who have used FordPass. A new customer who doesn’t use the app isn’t subject to the warning at all.

I asked Martini for clarification. She didn’t respond. She also didn’t respond to a question asking how Enterprise enforces its employee best practices for clearing data during the cleaning process.

Ford spokesman Martin Gunsberg, meanwhile, said that FordPass provides two ways to unpair a vehicle from a phone. The first is to use the infotainment system settings to perform a master reset. The second is to open the FordPass app, select the vehicle details button, scroll to the bottom, and select “Remove Vehicle.”

Gunsberg wrote:

We alert all drivers… FordPass enabled vehicles have a telltale in the top right hand corner of the SYNC screen if location sharing and remote start/stop, lock/unlock are active. These services can be manually turned off by pressing on the telltale and disabling these features. A pop-up will also alert the driver on each ignition on that location services are active if no known paired Bluetooth devices are detected.

Per the above response, SYNC will alert a new driver on ignition on that location services are active if no known Bluetooth device is connected. This alert is designed to occur before a new owner pairs their phone. At Ford dealerships, performing a Master Reset is part of a dealer’s used car checklist prior to the sale of a vehicle.

He also said that, when a FordPass user remotely tracks the vehicle location, the infotainment screen will display the words “GPS alert message.” Additionally, he said, when connecting FordPass to a vehicle that’s already paired to another phone, the new person receives an alert.

“They are prompted to conduct a Master Reset of the vehicle’s SYNC settings,” Gunsberg wrote. “We will also soon be adding regular communication to all FordPass users to remind them to conduct a Master Reset whenever they sell their vehicle.”

It’s not clear just how conspicuous the notice to perform a master reset is. The failure for Enterprise employees and customers to wipe the Ford Expedition for five months suggests it’s easy to miss. Additionally, the communication to do a Master Reset that Ford plans to add is problematic since only the seller sees it. The person who is at risk from unauthorized access is the buyer. The seller faces no threat. What’s more, the message “GPS alert message” seems vague.

It wouldn’t be surprising if remote apps from other third-party developers of car manufacturers also maintain access long after they’re rented or sold to new people. The lesson from Sinclair’s experience is a classic renter- and buyer-beware. The experience is also pertinent to survivors of abusive relationships or stalkers. Before anyone uses a new car, they should learn how to perform a full factory reset of the infotainment system and ensure it’s done.

https://arstechnica.com/?p=1592603