Serious ford mach e security hole, Any one has your vin # could potential control your Mach e!

tortor · Nov 11, 2021

Backgroud: I order the mach e online on 7/31, delivered to dealer on 11/9, the dealer told me to add $10K markup. I told them I need to talk to ford first. Since it is 7PM on 11/9, I talked to ford rep on 11/10 and they could not do anything. 11/11 (today) the dealer (Fremont Ford, Newark, CA) told me it was sold. See the link for details (https://www.macheforum.com/site/thr...r-10k-markup-on-my-mach-e-online-order.11287/)

The security hole: I do a online checkout the car on 11/9 right after I received the notification and was prompt to download the fordpass App and activate the car.

Today(11/11) for the curiosity, I open the app, I found that I could control the car. Note: I never got the chance to touch the car!!!!

Here is the snap shot of the App.

Advices: Be carefully about your mach e. I suspect if someone have the vin#, they could potentially control the car.
(I will leave the app as for ford to debug the issue. For whoever have bought my mach e, if you see the message, pls DM me).

Update

11/13) I correct the typo of the dates. For unknown reason, the thread was not open for further replies. Tried to email the webmaster but no response. I assume the webmaster/ford doesnt want the publicity here, but I think the owner/public need to aware this.

Becasue I believe it is not every one with a vin could gain access to any mach e, I disclosed it publicly at the same time to the ford.

Also need to clarify that I did not ever see the key and inside the car and gain the access to the car through the app. Also I didnt initiate to set the phone as the key to the car since I am not the owner of the car and did not want to get into troubles. I only could see the status of the car, the location of the car, startup the car and setup etc. I have not tried any of action that could casue change to the status of the car and leave the app as is at the moment for ford to debug it.

Currently, I believe the process need to be hardened at least
1) multi factor auth
2) prevent any man in the middle hijack.

For the least, any phone gain access to the car at least a auth code to the phone and entered into the car, along with the physical presence of the key, phone and car at the same time. It's up to the ford developer to investigate and improve the security of this process.

Ford Mustang Mach-E Serious ford mach e security hole, Any one has your vin # could potential control your Mach e! Screenshot 2021-11-11 at 6.52.30 PM

veronicablack · Nov 11, 2021

From what I understand, this can't just happen anytime someone has a VIN. They would also have to have access to inside the car to finish activation. So it sounds like whoever bought the car out from under you accidentally activated you as a user. But I don't think the average owner has to worry about someone unlocking their car just from seeing the VIN.

tortor · Nov 11, 2021

veronicablack said:
From what I understand, this can't just happen anytime someone has a VIN. They would also have to have access to inside the car to finish activation. So it sounds like whoever bought the car out from under you accidentally activated you as a user. But I don't think the average owner has to worry about someone unlocking their car just from seeing the VIN.

I am not confident at this( I am a security software engineer). I download the app on 9/9 on the office, do an activation (it shows pending at the time). Then I went to the dealer at 7PM, I did not touch the car ever. Today, I open the app, and it is activated. The whole thing really looks fishy based on my 20+ years security experience.

Maquis · Nov 11, 2021

tortor said:
I am not confident at this( I am a security software engineer). I download the app on 9/9 on the office, do an activation (it shows pending at the time). Then I went to the dealer at 7PM, I did not touch the car ever. Today, I open the app, and it is activated. The whole thing really looks fishy based on my 20+ years security experience.

When you initiated the activation in your app, that caused a prompt to appear in the car to accept the activation. Either someone at the dealer or the new owner tapped the “accept” button.
It does make me wonder how whoever accepted the message would be aware of the origin of the request - it’s been so long since I activated mine that I don’t recall the exact prompt.

tortor · Nov 11, 2021

Maquis said:
When you initiated the activation in your app, that caused a prompt to appear in the car to accept the activation. Either someone at the dealer or the new owner tapped the “accept” button.
It does make me wonder how whoever accepted the message would be aware of the origin of the request - it’s been so long since I activated mine that I don’t recall the exact prompt.

If i have the vin#, I could do the same to try to activate the car before the owner and boom I gain control. I dont even to get close to the car. If this is the casr, who knows what else there. It is really scary, man!

Maquis · Nov 11, 2021

tortor said:
If i have the vin#, I could do the same to try to activate the car before the owner and boom I gain control. I dont even to get close to the car. If this is the casr, who knows what else there. It is really scary, man!

No you can’t. Someone has to acknowledge the activation request from the screen in the car.

As I stated previously, someone who had no clue what they were doing acknowledged your activation request from the car. It didn’t have to be you personally - anyone can tap the button!

connoisseurr · Nov 11, 2021

tortor said:
If i have the vin#, I could do the same to try to activate the car before the owner and boom I gain control. I dont even to get close to the car. If this is the casr, who knows what else there. It is really scary, man!

Incorrect. You physically cannot take ownership of the vehicle in the app if:

The MME is registered to another owner FordPass app.
You do NOT accept the prompt on the Sync 4a screen after initiating the “Activate” sequence from the FordPass app. You or someone at the dealership misaccepted the activation.

hybrid2bev · Nov 11, 2021

FUD bait.

EELinneman · Nov 11, 2021

Maquis said:
No you can’t. Someone has to acknowledge the activation request from the screen in the car.

As I stated previously, someone who had no clue what they were doing acknowledged your activation request from the car. It didn’t have to be you personally - anyone can tap the button!

My BS detector is going off. The OP mentions ordering in July, receiving in September, but then joins in November and posts something showing only 33 miles on the car. And, without a timestamp. Guessing a Tesla troll now that in Europe thieves have stole 2 locked Teslas where the owners still had the key cards.

Serious ford mach e security hole, Any one has your vin # could potential control your Mach e!

tortor

Active Member

veronicablack

Well-Known Member

tortor

Active Member

Maquis

Well-Known Member

tortor

Active Member

Maquis

Well-Known Member

connoisseurr

Well-Known Member

hybrid2bev

Well-Known Member

EELinneman

Well-Known Member

Similar threads