When Masamba Sinclair rented a Ford Expedition from Enterprise Rent-a-Car last May, he was excited to connect it to FordPass. The app allows drivers to use their phones to remotely start and stop the engine, lock and unlock the doors, and track the vehicle’s precise location.
“I enjoyed it and logged into FordPass to be able to access vehicle features from my phone such as locking, unlocking, and starting the engine,” Sinclair, who is 34, told me. “I liked the idea of it more than I found it useful. The UI does look good and work well, though.”
Putting the onus on customers
Now, Sinclair’s opinion of mobile apps in rental cars is decidedly less favorable. That’s because, five months after he returned the vehicle on May 31, his app continues to have control over the vehicle. Despite multiple other people renting the SUV in the intervening months, FordPass still allows Sinclair to track the location of the vehicle, lock and unlock it, and start or stop its engine. Sinclair has brought the matter to Ford’s attention, both through its website and multiple times
on Twitter. So far, Ford has done nothing to kill his access.
@Ford I can still track and unlock the Expedition that I rented last week via the FordPass app. HUGE safety concern for all future renters. I submitted a solution via Ford New Ideas to solve this and it was denied. THIS NEEDS TO BE FIXED pic.twitter.com/dcdfLlPceJ
— Masamba (@MasambaS) June 4, 2019
@Ford It’s day 5 since I returned my rental and now someone else has rented it out. Do I need to start remotely unlocking it until they also start to complain? Please fix this! pic.twitter.com/S7UZVfIiFn
— Masamba (@MasambaS) June 5, 2019
.@Ford I returned this car two weeks ago and you’ve shown no willingness to allow rental companies to remove my access to unlock it and start the engine. Maybe I’ll just start randomly unlocking it. pic.twitter.com/MrBVU68Jh4
— Masamba (@MasambaS) June 14, 2019
“All it took was me downloading the app and entering the VIN, then confirming connectivity through the infotainment system,” Sinclair said late last week. “There MIGHT be a way to disassociate my phone from the car itself, but that hasn’t happened yet, and it’s crazy to put the onus on renters to have to do that. I have had no problems at all and have even unlocked the doors and started the engine when I could see that the vehicle was in the Missoula airport rental car parking lot.”
Below are a video and image Sinclair took documenting his control of the vehicle. He took them last week and in June, respectively:
Tracking a vehicle daily
FordPass is offered by the Ford Motor Company and is available for both iOS and Android devices. It is one of several apps for connecting to Ford vehicles. The less-than-intuitive means for unpairing a vehicle and phone—not to mention the difficulty in knowing a device remains connected—represent a serious security and privacy risk, not just to renters, but to people buying a vehicle second hand.
While Ford said infotainment screens will indicate when a device is paired, it’s obvious that multiple Enterprise employees and renters have continued to miss the warning. Even now, after I discussed the problem with both Enterprise and Ford representatives, Sinclair’s access still hasn’t been revoked.
“I have been opening the app and tracking the vehicle almost every day to see if my access is still there, and sure enough, I can see exactly where my old rental, affectionately named “The Beast,” is at any given moment,” Sinclair said. “This means that I can not only find this rental car whenever I want, but I can also unlock the doors and help myself to anything inside.”
Enterprise spokeswoman Lisa Martini wrote in an email:
Several years ago, we implemented employee training on best practices for clearing data as part of our standard vehicle cleaning procedures. Additionally, we have information in our privacy policy and rental agreements to remind customers to remove their data when returning a car. We also work closely with the various automotive manufacturers to ensure we update and enhance our procedures as needed in response to new features and technologies that are added to vehicles. To that end, we understand the concerns this specific situation has raised and are actively working with Ford to implement protocols for customers who attempt to enable this feature on a rental car using their personal account.
Renter beware
A copy of Sinclair’s rental agreement, however, shows that the reminder is vague and applies only to a customer returning a vehicle, who isn’t threatened by this security lapse. It doesn’t warn a customer upon renting. It states: “We are not responsible for any data that is left in the vehicle as a result of your use. We cannot guarantee the privacy or confidentiality of such information, and you must wipe it before you return the vehicle to us.”
I couldn’t find any language instructing a customer to ensure devices belonging to previous customers who are no longer connected. And in any event, the warning applies only to people who have used FordPass. A new customer who doesn’t use the app isn’t subject to the warning at all.
I asked Martini for clarification. She didn’t respond. She also didn’t respond to a question asking how Enterprise enforces its employee best practices for clearing data during the cleaning process.
Ford spokesman Martin Gunsberg, meanwhile, said that FordPass provides two ways to unpair a vehicle from a phone. The first is to use the infotainment system settings to perform a master reset. The second is to open the FordPass app, select the vehicle details button, scroll to the bottom, and select “Remove Vehicle.”
Gunsberg wrote:
We alert all drivers… FordPass enabled vehicles have a telltale in the top right hand corner of the SYNC screen if location sharing and remote start/stop, lock/unlock are active. These services can be manually turned off by pressing on the telltale and disabling these features. A pop-up will also alert the driver on each ignition on that location services are active if no known paired Bluetooth devices are detected.
…
Per the above response, SYNC will alert a new driver on ignition on that location services are active if no known Bluetooth device is connected. This alert is designed to occur before a new owner pairs their phone. At Ford dealerships, performing a Master Reset is part of a dealer’s used car checklist prior to the sale of a vehicle.
He also said that, when a FordPass user remotely tracks the vehicle location, the infotainment screen will display the words “GPS alert message.” Additionally, he said, when connecting FordPass to a vehicle that’s already paired to another phone, the new person receives an alert.
“They are prompted to conduct a Master Reset of the vehicle’s SYNC settings,” Gunsberg wrote. “We will also soon be adding regular communication to all FordPass users to remind them to conduct a Master Reset whenever they sell their vehicle.”
It’s not clear just how conspicuous the notice to perform a master reset is. The failure for Enterprise employees and customers to wipe the Ford Expedition for five months suggests it’s easy to miss. Additionally, the communication to do a Master Reset that Ford plans to add is problematic since only the seller sees it. The person who is at risk from unauthorized access is the buyer. The seller faces no threat. What’s more, the message “GPS alert message” seems vague.
It wouldn’t be surprising if remote apps from other third-party developers of car manufacturers also maintain access long after they’re rented or sold to new people. The lesson from Sinclair’s experience is a classic renter- and buyer-beware. The experience is also pertinent to survivors of abusive relationships or stalkers. Before anyone uses a new car, they should learn how to perform a full factory reset of the infotainment system and ensure it’s done.
https://arstechnica.com/?p=1592603