Ford Authority

Man Had FordPass Access To Rental Car For Five Months: Video

A man called Masamba Sinclair rented a Ford Expedition five months ago, and while he had the car in his possession, he set up access to the vehicle with the FordPass app. Ford recently made all FordPass services free for compatible cars. Knowing that all Ford cars that are compatible are susceptible to this is disturbing.

Sinclair says that he still has access to the Expedition via the FordPass app five months after his rental. All he had to do was download the app, enter the VIN of the Expedition, and confirm it via the infotainment system. He can still unlock and lock the doors, see where the car is, and start and stop the engine.

Sinclair says that he reported the issue to Ford. He says that he submitted the issue via Ford New Ideas and a solution to solve the problem, but it was denied. Think about how easy this would be to exploit in the wild. If you go to a hotel or a restaurant to eat in a Ford that supports FordPass, while the valet has the car, they could pair it to their phone app and simply come back later to steal the car with a key to unlock the doors and start the engine in hand.

There is no official comment on the issue from Ford at this time. It’s not clear how or if the vehicle owner can disassociate all devices from the car. This also posed an issue for used Ford sales down the road if a previous owner continues to have access to the car via the app.

Subscribe to Ford Authority for around-the-clock Ford news coverage.

Source: CarScoops

Shane is a car guy with a fondness for Mustangs and off-roading.

Subscribe to Ford Authority

For around-the-clock Ford news coverage

We'll send you one email per day with the latest Ford updates. It's totally free.


  1. Nathan

    You can lock unlock and start the car via the app but not drive it. It works just like a remote start system. The car won’t go with out the key in the vehicle….

  2. Mark

    Assuming the vehicle owner had the app set up for their own use, they would receive a message through the app when someone else was trying to get access. This is another reason the owner should activate and use the modem as it does add some security regarding this potential issue. There are only two routes that someone could take to set their FordPass account to the vehicle, both of which would send a message to the actual owner. If someone else attempted to link their FordPass account to the vehicle without first doing a master reset, they would be a secondary user and the primary user would need to allow access through the app. If someone did a master reset in order to access approval from the vehicle touch screen rather than from the current primary user, (a master reset could also be performed without any ill intent by a Ford shop in order to facilitate some repairs.) the owner would get a notice that their vehicle access was removed from their account. Whenever it is necessary, for any reason, to remove a vehicles access from an unwanted account, it is simply a matter of doing a master reset. This can be done by going to the touch screen settings, selecting general, scrolling to the bottom of that screen, and selecting master reset. Factory settings to blue tooth and the vehicle modem are restored. This should be done any time a vehicle is sold for the security of both past and current owner. As Nathan pointed out, anyone who had access to the vehicle through the app, would not be able to drive the vehicle without the key or key fob, so no danger to vehicle theft. They would, however be able to locate and unlock it through the app. which of course still causes some security concerns. The biggest concern, would come from rental cars as addressed in the article. Potentially, someone could connect their rental vehicle to the app, and continue to have access until someone did a master reset. They could find where the vehicle is parked, unlock it, and help themselves to whatever possessions were in it. Rental companies would be smart to do a master reset on every vehicle as it is returned. This would be a good general practice as it would remove all of the last drivers info from the system including navigation, blue tooth devices, and telematics system connections such as FordPass.

    1. Masamba

      There is no message sent to the user that a master reset has been performed and their access has been removed. I know this because Enterprise performed a reset and I never got notified that it happened. I just opened the app and I had lost access. Whatever impression there is of a solid notification system when there are access changes is misleading. Also, the biggest risk is the valet use case, not rental. Your car being valeted would allow the valet parker to repeatedly steal from your car since the registration has the address, whereas renters often do not live int he geographic region from where they are renting.


Leave a comment