He returned the rental car long ago. He can still turn the engine on via an app

Imagine you've parked your rental car and are walking away. Suddenly, the car starts up, seemingly on its own. Yes, it's another day in technology making everything better.
Written by Chris Matyszczyk, Contributing Writer
ford logo

A risk you can't afford?

You think we're living in the end of times?

No, this is just a transitional period between relative sanity and robot inanity.

The problem, of course, is that our deep, mindless reliance on technology is causing severe disruption.

I'm moved to this fortune cookie thought by the tale of a man who rented a Ford Expedition from Enterprise. He gave it back and, five months later, he discovered that he could still start its engine, switch it off, lock and unlock it and even track it. Remotely, that is.

You see, as Ars Technica described last October, Masamba Sinclair had connected his rental car to FordPass, an app that's presumably very useful. Who wouldn't want to remotely unlock the doors of a car someone else is renting? Just to imagine their faces, you understand. It so happened that Sinclair hadn't unpaired his app from the car. Cue the absurdity.

At the time, I thought Sinclair's tale entertaining. But surely the app's vulnerability would be patched, secured or whatever technical verbal emoji you might choose.

Yet Sinclair just rented another Ford -- this time, a Mustang. And what do you know, four days after he'd returned it he could still make the car do things from his phone. Which could have been a touch bemusing to anyone who happened to have subsequently rented it.

Sinclair even filmed some of the action.

It seems that Ford does offer warning notifications inside the car when it's paired with someone's phone.

Yet if subsequent renters or, indeed, the rental company's cleaners don't react to such notifications -- or simply don't see them -- a random somebody who happens to still have an app paired to the car may incite some remote action, like a ghostly jump start.

You might think Sinclair should have already disconnected his app from any car he'd previously rented. Some might grunt, though, that it shouldn't be his responsibility.

For its part, Enterprise gave Ars a statement that began: "The safety and privacy of our customers is an important priority for us as a company." An important priority, but not the most important priority?

The company added: "Following the outreach last fall, we updated our car cleaning guidelines related to our master reset procedure. Additionally, we instituted a frequent secondary audit process in coordination with Ford. We also started working with Ford and are very near the completion of testing software with them that will automate the prevention of FordPass pairing by rental customers."

Here's the part that always make me curl up on my sofa and offer intermittent bleats. Why is it that when technologies such as these are implemented, the creators don't sufficiently consider the potential consequences and prevent them from happening?

If Sinclair could so easily keep his app paired to any Ford he'd rented -- and this surely doesn't just apply to Fords -- why wasn't it easy for the Ford and/or Enterprise to ensure it couldn't happen?

Who is really in the driver’s seat? Unknown digital threats to your car’s security

Why does it take a customer to point out the patent insecurity of the system before companies actually do anything about it?

Perhaps one should be grateful that at least nothing grave occurred. But imagine if someone of brittle brains realized they could be the ghost in a machine and really scare a stranger.

Too often, tech companies place the onus on customers to work things out for themselves and even to save themselves. Or, worse, to only discover a breach when it's too late.

Wouldn't it be bracing if tech companies, I don't know, showed a little responsibility in advance?

Editorial standards