App Lets Man Remotely Unlock, Start Enterprise Rental Car Months Later

A 2020 Ford Expedition on display in Wilmington Delaware, Oct. 6, 2019.
A 2020 Ford Expedition on display in Wilmington Delaware, Oct. 6, 2019. (Image credit: Khairil Azhar Junos/Shutterstock)

UPDATED with additional comments from Masamba Sinclair, who rented the vehicle in question.

Check the oil, fill the gas tank, wash the exterior and floor mats -- and factory-reset the infotainment system? 

Rental-car-agency employees may soon have to add a new item to their returned-car checklist, now that a man who rented a Ford Expedition from Enterprise Rent-A-Car says he still can lock, unlock and start the vehicle through the FordPass app on his iPhone.

Masamba Sinclair told Ars Technica's Dan Goodin in an article yesterday (Oct. 28) that he returned the SUV, which he affectionately dubbed "The Beast," on May 31. But he said he has never lost control of the vehicle, and gave Goodin a video clip of the FordPass app locating the Expedition Oct. 24 near Pineville, Oregon.

"I returned this car two weeks ago and you've shown no willingness to allow rental companies to remove my access to unlock it and start the engine," Sinclair tweeted to the Ford Twitter account June 14. "Maybe I'll just start randomly unlocking it."

Sinclair's Twitter feed indicates that he lives in Philadelphia. It's not clear to which Enterprise agency he returned the Expedition on May 31, but the car was in Helena, Montana five days later.

Renters, leasers and owners of newer Ford vehicles can pair their FordPass app to vehicles by entering the Vehicle Identification Number printed on the dashboard just inside the windshield, then confirming the pairing on the infotainment system's screen. 

Ford's website for vehicle owners says the FordPass app can "Monitor and control your vehicle in incredibly powerful ways," including the ability to start and stop the engine, "schedule a start," check the gasoline and engine-fluid levels and "Lock and unlock from just about anywhere." 

It probably wouldn't be good for a former renter to lock a current renter out of the vehicle at a remote campground, or kill the engine while it's climbing a mountain road.

Now, Sinclair could easily unpair the Expedition from his iPhone if he just tapped the Vehicle Details button and scrolled to the bottom of the screen to "Remove Vehicle," according to Ars Technica. He claimed ignorance of that detail.

"There MIGHT be a way to disassociate my phone from the car itself, but that hasn't happened yet," he told Ars Technica, adding that he had "even unlocked the doors and started the engine when I could see that the vehicle was in the Missoula airport rental car parking lot."

But that misses the point, which is that Enterprise Rent-A-Car staffers didn't, and still apparently haven't, reset the infotainment system on the vehicle themselves. They could easily perform a master resent on Ford vehicles by going into the Settings menu displayed on the home screen and scrolling down to "Master Reset." 

Perhaps that shouldn't be too surprising. How many times have you climbed into a rented car and found that the radio-station presets are already programmed in? 

Sinclair tried to contact Ford through its website about remotely unpairing him from the car. The company apparently responded with a form letter informing him that despite its willingness to "evaluate ideas from outside the Company," its "technical specialists [had] reviewed your idea" and "will not be investigating further development of your particular idea."

Sinclair might be barking up the wrong tree, though. Factory-resetting the infotainment system is something that rental-car companies should do, and that used-car dealerships are already instructed to do. 

But just in case, whenever you're taking command of a used vehicle, whether it's a rental or a purchase, make sure you wipe that infotainment system to make sure a previous owner can't track and control your movements.

UPDATE: In two Twitter exchanges with Tom's Guide after this story was initially posted, Masamba Sinclair said he always understood that he could remove a vehicle from the FordPass app. But he was not sure whether that would mean that the communications between his iPhone and the Expedition would definitely be cut. 

Those communications are over a mobile data network, not Bluetooth, he pointed out. "Forgetting" the Expedition's infotainment system in the iPhone's Bluetooth settings would likely not affect those communications. The car owner has to trust that the FordPass app's back-end servers are also deleting the connection.

Sinclair also pointed out that it's not enough if rental-car agencies make it a standard procedure to factory-wipe the infotainment system upon the return of a rental car. There are other scenarios, such as valet parking, in which someone could pair their phone to a vehicle without the owner's knowledge.

"The reason I wrote to Ford is because this vulnerability can be easily abused by valets," he tweeted. "There should be a way to remove individual device pairings without a factory reset, like with Bluetooth. Who wants to do a master reset whenever a valet returns your Ford?"

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.