Client Retains Full Remote Control for a Rental Car Five Months After Returning It

A man who rented a Ford Expedition from Enterprise Rent-a-Car in the U.S. found out that he still had remote access to the vehicle through the FordPass app long after returning it, even if he notified the renting company five months ago.

The Internet of Things (IoT) made room for smart cars, and that includes the Ford Expedition rented by Masamba Sinclair from Enterprise Rent-a-Car in May. Soon after Sinclair returned the vehicle, he discovered that he retained control over some of the vehicle’s functions through the accompanying app.

FordPass is an application on Android and iOS that allows users to remotely control some functions for Ford smart cars, such as starting the engine and opening the doors. It’s useful in many situations, but it becomes a security and privacy issue when possible violations are ignored.

A few days after he returned the car, Mr. Sinclair noticed that he could still access the remote commands through the app. He contacted Ford and the car rental company, to no avail. Days, weeks and months went by, and the remote control was still present. Mr. Sinclair said he still has access to the car to this day, despite all the notifications he sent.

“@Ford I can still track and unlock the Expedition that I rented last week via the FordPass app. HUGE safety concern for all future renters. I submitted a solution via Ford New Ideas to solve this and it was denied. THIS NEEDS TO BE FIXED,” wrote Masamba Sinclair on his Twitter account.

Ars Technica talked with Ford spokesman Martin Gunsberg, who said that all of that is possible. The access to the car can be disabled from two directions. Either the renting company performs a master reset, which is a lengthy procedure, or the client removes the vehicle from the app.

The car will display messages when users connect remotely or when it’s already paired to a phone. But in five months nobody noticed or cared to see what’s happening with that car. Putting the responsibility of unpairing the phone and the car on the client shows disregard for the next driver. It also shows yet another way the IoT ecosystem could be made vulnerable by improper implementation of security measures.