Man is still able to remotely control Ford rental five months after returning it

Polycount · Oct 29, 2019

Scientific and technological progress often brings plenty of benefits for the average person, but sometimes, there are unintended consequences. As modern vehicles become more advanced, these consequences have become more clear than ever.

A recent report from Ars Technica highlights some of the issues associated with renting or buying a "connected vehicle" from a third party. In this case, a man named Msamba Sinclair acquired a Ford Expedition from rental service Enterprise back in May. A few days after returning it later that month, Sinclair realized -- much to his surprise -- that he still had access to the vehicle via the FordPass app, which lets drivers control various aspects of a supported Ford vehicle remotely.

Specifically, Sinclair was able to remotely start or stop the car's engine, lock or unlock the doors, and track its exact location. To this day (many months later), Sinclair still has access, suggesting that Enterprise (at least, the specific location the vehicle is being rented from) has failed to reset the vehicle's infotainment system properly upon each new rental.

Sinclair has tried to bring this issue to the attention of Ford, but without any success. His suggestions for fixing the dilemma, submitted via Ford's "New Ideas" program, were also rejected.

Naturally, this is a massive security risk for connected car users everywhere -- Ford is far from the only company that allows for remote systems control. Sinclair might be benevolent enough to draw attention to the matter and avoid abusing his access, but not every driver will be. The potential for bad actors to remotely unlock a vehicle and swipe a new renter's belongings (or worse) is ever-present.

Ford, for its part, says the infotainment screens of its connected vehicles will display a warning when a device is paired, but as Ars notes, it's clear that Enterprise workers have failed to see or heed this information over the past several months.

Ford also claims that performing a "Master Reset" -- which would unpair connected devices -- is part of a "used car checklist" at its own dealerships, which must be followed before the sale of a vehicle. It seems this Enterprise location has a different set of pre-rental protocols.

Regardless, this is an unfortunate situation, and we hope Ford and Enterprise develop a permanent solution moving forward, whether that comes in the form of a software fix from Ford or new pre-rental procedures from Enterprise.

Permalink to story.

https://www.techspot.com/news/82548-man-able-remotely-control-ford-rental-five-months.html

cliffordcooley · Oct 29, 2019

I think the problem is more dangerous than his scenario. Think of all the times you leave your vehicle (w/keys) to be serviced.

PEnnn · Oct 29, 2019

On a funnier note, this could drive the new rental customer crazy..... when he sees this diabolically possessed car with a mind of its own.....LOL!!

wiyosaya · Oct 29, 2019

From my experience dealing with Enterprise, I doubt that they even know what a reset button is.

Uncle Al · Oct 30, 2019

Yeah, if it wasen't so frightening it would be laughable ...... And Enterprise rentals used to be a lot smarter than this .... makes you wonder if their entire fleet is this lame .....

Vulcanproject · Oct 30, 2019

Ahhh the case of new technologies making vehicles less and less secure.

The first generation of Ford's keyless entry system was also stupidly insecure. In Europe it was applied to higher value Ford cars, such as the $35k 2009 Focus RS. This was a brand new desirable performance compact. Prime target for thieves. Dozens were stolen in weeks. Insurers wouldn't even quote you on the vehicle unless you had an approved aftermarket alarm system fitted.

Laughably easy to steal and drive away with commonly available relays and key reprogrammers. The increasing complexity of electronic systems on cars only makes them more vulnerable to tech savvy thieves.

Jeff Re · Oct 30, 2019

Uncle Al said:
...... And Enterprise rentals used to be a lot smarter than this ....

You clearly had a different experience with Enterprise than I did. I never saw them not be *****ic. Wow, I can't use the word I-d-I-o-t?

TheBigT42 · Oct 30, 2019

It's not a Ford issue it is an issue with the car Rental Company not doing a complete "Cleaning" of the vehicle between customers.

Gus Fring · Oct 30, 2019

Just changing the song on the radyo would be great , about two to three times a day. Not always to the same song , but something appropriate to their destination.. Spooky Mulder ...

ckm88 · Oct 30, 2019

Clearly Ford nor the car rental company cares. Both should be fined.

Uncle Al · Oct 31, 2019

Jeff Re said:
You clearly had a different experience with Enterprise than I did. I never saw them not be *****ic. Wow, I can't use the word I-d-I-o-t?

Well, it's not well known but a large number of their stores are franchise's rather than company stores and the owner can make all the difference. The one I use is owned by a retired marine officer and he runs a very tight ship. Cars always clean, well serviced, the 800 emergency number displayed and his contractors are kept equally sharp. Never had a billing error and if there is an issue, 95% it will go my way just because he wants his customers to keep coming back. What a shame ALL businesses aren't run this well!

Gezzer · Nov 4, 2019

TheBigT42 said:
It's not a Ford issue it is an issue with the car Rental Company not doing a complete "Cleaning" of the vehicle between customers.

Actually it's an example of just how insecure the IoTs really is. Yes Enterprise should be resetting their vehicles. But even if they were, how long do you think it will be before hackers gain access making the whole argument moot.
The fact that car's security system doesn't require a 2FA for infrequent users and an alert system that notifies the primary user that an infrequent user has logged in to the car is the real problem.
Many people just don't understand how insecure the IoTs really is. The more we connect everything and make it "smart" the more avenues there are for bad faith players to leverage. Think anyone that covers the camera lens on their laptop or tablet is paranoid? Those are the people that actually know how easy it is to exploit...

Markoni35 · Nov 5, 2019

That is not technological advance. That's a security failure. Calling that "advance" is same as calling a bug a feature. Designers and CEO of Ford should go to jail for even allowing important aspects of the car, such as turning the engine on/off, to be controlled by a smartphone.

There are also cars where the steering wheel is completely electronically controlled, which are also hackable from the outside. Because the imbeciles allowed the important bits of the control system to be exposed to internet connections. Internet should serve only for entertainment. It shouldn't in any way be connected to car control software. Whoever allows that connection should be imprisoned.

What's next? Pilots will be able to control the airplane with a smartphone? As well as ISIL "friends" from the surface. "Ahmed, I'm bored to death, let's take control of that 747 and smash it into an M1-Abrams tank, just for fun. I'm betting $5 on the tank."

Man is still able to remotely control Ford rental five months after returning it

Polycount

Posts: 3,017 +590

cliffordcooley

Posts: 13,141 +6,441

PEnnn

Posts: 1,285 +1,853

wiyosaya

Posts: 9,760 +9,644

Uncle Al

Posts: 10,171 +9,650

Vulcanproject

Posts: 1,698 +3,210

Jeff Re

Posts: 239 +217

TheBigT42

Posts: 792 +866

Gus Fring

Posts: 66 +19

ckm88

Posts: 385 +267

Uncle Al

Posts: 10,171 +9,650

Gezzer

Posts: 465 +223

Markoni35

Posts: 1,318 +539

Similar threads

Latest posts