Five months after returning rental car, man still has remote control

Enlarge / FordPass, offered by Ford Motor Company, is available for iOS and Android devices.Ford Motor Company

When Masamba Sinclair rented a Ford Expedition from Enterprise Rent-a-Car last May, he was excited to connect it to FordPass. The app allows drivers to use their phones to remotely start and stop the engine, lock and unlock the doors, and track the vehicle's precise location.

"I enjoyed it and logged into FordPass to be able to access vehicle features from my phone such as locking, unlocking, and starting the engine," Sinclair, who is 34, told me. "I liked the idea of it more than I found it useful. The UI does look good and work well, though."

Putting the onus on customers

Now, Sinclair's opinion of mobile apps in rental cars is decidedly less favorable. That's because, five months after he returned the vehicle on May 31, his app continues to have control over the vehicle. Despite multiple other people renting the SUV in the intervening months, FordPass still allows Sinclair to track the location of the vehicle, lock and unlock it, and start or stop its engine. Sinclair has brought the matter to Ford's attention, both through its website and multiple times
on Twitter. So far, Ford has done nothing to kill his access.

@Ford I can still track and unlock the Expedition that I rented last week via the FordPass app. HUGE safety concern for all future renters. I submitted a solution via Ford New Ideas to solve this and it was denied. THIS NEEDS TO BE FIXED

— Masamba (@MasambaS) June 4, 2019

@Ford It's day 5 since I returned my rental and now someone else has rented it out. Do I need to start remotely unlocking it until they also start to complain? Please fix this!

— Masamba (@MasambaS) June 5, 2019

.@Ford I returned this car two weeks ago and you've shown no willingness to allow rental companies to remove my access to unlock it and start the engine. Maybe I'll just start randomly unlocking it.

— Masamba (@MasambaS) June 14, 2019

"All it took was me downloading the app and entering the VIN, then confirming connectivity through the infotainment system," Sinclair said late last week. "There MIGHT be a way to disassociate my phone from the car itself, but that hasn't happened yet, and it's crazy to put the onus on renters to have to do that. I have had no problems at all and have even unlocked the doors and started the engine when I could see that the vehicle was in the Missoula airport rental car parking lot."

Below are a video and image Sinclair took documenting his control of the vehicle. He took them last week and in June, respectively:

FordPass controls Enterprise rental for five months and counting
Screenshot of Sinclair's phone after he unlocked the door. He performed the unlock when the vehicle was parked at an airport.
Enlarge / Screenshot of Sinclair's phone after he unlocked the door. He performed the unlock when the vehicle was parked at an airport.Masamba Sinclair

Tracking a vehicle daily

FordPass is offered by the Ford Motor Company and is available for both iOS and Android devices. It is one of several apps for connecting to Ford vehicles. The less-than-intuitive means for unpairing a vehicle and phone—not to mention the difficulty in knowing a device remains connected—represent a serious security and privacy risk, not just to renters, but to people buying a vehicle second hand.

While Ford said infotainment screens will indicate when a device is paired, it's obvious that multiple Enterprise employees and renters have continued to miss the warning. Even now, after I discussed the problem with both Enterprise and Ford representatives, Sinclair's access still hasn't been revoked.

"I have been opening the app and tracking the vehicle almost every day to see if my access is still there, and sure enough, I can see exactly where my old rental, affectionately named "The Beast," is at any given moment," Sinclair said. "This means that I can not only find this rental car whenever I want, but I can also unlock the doors and help myself to anything inside."

Enterprise spokeswoman Lisa Martini wrote in an email:

Several years ago, we implemented employee training on best practices for clearing data as part of our standard vehicle cleaning procedures. Additionally, we have information in our privacy policy and rental agreements to remind customers to remove their data when returning a car. We also work closely with the various automotive manufacturers to ensure we update and enhance our procedures as needed in response to new features and technologies that are added to vehicles. To that end, we understand the concerns this specific situation has raised and are actively working with Ford to implement protocols for customers who attempt to enable this feature on a rental car using their personal account.

Renter beware

A copy of Sinclair's rental agreement, however, shows that the reminder is vague and applies only to a customer returning a vehicle, who isn't threatened by this security lapse. It doesn't warn a customer upon renting. It states: "We are not responsible for any data that is left in the vehicle as a result of your use. We cannot guarantee the privacy or confidentiality of such information, and you must wipe it before you return the vehicle to us."

I couldn't find any language instructing a customer to ensure devices belonging to previous customers who are no longer connected. And in any event,Read More – Source