He returned the rental car long ago. He can still turn the engine on via an app

February 19, 2020

You think we're living in the end of times?

No, this is just a transitional period between relative sanity and robot inanity.

The problem, of course, is that our deep, mindless reliance on technology is causing severe disruption.

I'm moved to this fortune cookie thought by the tale of a man who rented a Ford Expedition from Enterprise. He gave it back and, five months later, he discovered that he could still start its engine, switch it off, lock and unlock it and even track it. Remotely, that is.

You see, as Ars Technica described last October, Masamba Sinclair had connected his rental car to FordPass, an app that's presumably very useful. Who wouldn't want to remotely unlock the doors of a car someone else is renting? Just to imagine their faces, you understand. It so happened that Sinclair hadn't unpaired his app from the car. Cue the absurdity.

At the time, I thought Sinclair's tale entertaining. But surely the app's vulnerability would be patched, secured or whatever technical verbal emoji you might choose.

Yet Sinclair just rented another Ford -- this time, a Mustang. And what do you know, four days after he'd returned it he could still make the car do things from his phone. Which could have been a touch bemusing to anyone who happened to have subsequently rented it.

It seems that Ford does offer warning notifications inside the car when it's paired with someone's phone.

Yet if subsequent renters or, indeed, the rental company's cleaners don't react to such notifications -- or simply don't see them -- a random somebody who happens to still have an app paired to the car may incite some remote action, like a ghostly jump start.

You might think Sinclair should have already disconnected his app from any car he'd previously rented. Some might grunt, though, that it shouldn't be his responsibility.

For its part, Enterprise gave Ars a statement that began: "The safety and privacy of our customers is an important priority for us as a company." An important priority, but not the most important priority?

The company added: "Following the outreach last fall, we updated our car cleaning guidelines related to our master reset procedure. Additionally, we instituted a frequent secondary audit process in coordination with Ford. We also started working with Ford and are very near the completion of testing software with them that will automate the prevention of FordPass pairing by rental customers."

Here's the part that always make me curl up on my sofa and offer intermittent bleats. Why is it that when technologies such as these are implemented, the creators don't sufficiently consider the potential consequences and prevent them from happening?

If Sinclair could so easily keep his app paired to any Ford he'd rented -- and this surely doesn't just apply to Fords -- why wasn't it easy for the Ford and/or Enterprise to ensure it couldn't happen?