Valet Mode: Weakness Exposed

[FrunkMonk-e]

Summary

I left my car with the airport parking valet and a valet code. After three unsuccessful attempts with the code, my car is now stuck in the entry of the parking and I’m in a different state.

The Whole Story

I’ve just swerved into a problem that @FordMotorCompany apparently did not foresee.

I dropped my new Mach-E off at an airport park-and-ride service this morning and created a valet passcode as I have done on three other occasions.

While I was at my gate I got a notification through the FordPass app that the valet code had been attempted unsuccessfully. By the time I was able to contact the park and ride service they had already unsuccessfully attempted the valet code three times.

This disables valet mode until you return with your phone or a key fob. Before boarding my flight, I unlocked and started the car remotely with the FordPass app. They were still unable to move the car.

I contacted FordPass and explained the situation when my plane landed. They were sympathetic, but genuinely flummoxed. After they consulted for a while they came back and conceded there was nothing that could be done other than give the valet my backup Phone as a Key passcode which they recommended I don’t do.

The Solution

I told FordPass we need to be able to have the ability to manage valet mode within the app. I don’t know if the valet miss-typed the code three times or it failed for some reason. The first part of the code was able to open the door, so that part of it worked. But there has to be an override for a failed code or human error whichever it may be.

Until that happens, I’ll have to either give the valet a key fob or create the code, turn off the car, disable Bluetooth on my phone and start the car myself with the code before getting on the airport shuttle.

Sponsored

 

[ZuleMME]

The only time I used valet mode I enabled the mode but gave them the fob. This seemed like the easiest way to deal with the situation without potential trouble.

 

[mikeinet]

Ouch… so what did the parking lot do???

 

[Logal727]

Wow what a nightmare. I’ve avoided valet mode just because the whole thing is awkward to explain.

 

[FrunkMonk-e]

Ouch… so what did the parking lot do???

Nothing they can do. My car sits awkwardly where I left it.

 

[Mach-Lee]

The Solution

I told FordPass we need to be able to have the ability to manage valet mode within the app. I don’t know if the valet miss-typed the code three times or it failed for some reason. The first part of the code was able to open the door, so that part of it worked. But there has to be an override for a failed code or human error whichever it may be.

Until that happens, I’ll have to either give the valet a key fob or create the code, turn of the car, disable Bluetooth on my phone and start the car myself with the code before getting on the airport shuttle.

Not sure if that will be possible for security reasons. If somebody gets your FordPass account info, they could install the app, generate a valet code, and steal your car?

The app would have to verify you're using the actual device paired with PAAK before generating a valet code. It's still risky remotely generating a code that could be used to steal your car. I think Ford only wants to generate valet codes locally in the car right now.

@DevSecOps Thoughts on this?

And FYI, you would have to test this but I think you need to enter the valet code again before moving the car if it's been sitting in park too long, even if it's running. The car authorizes when you try to shift it out of park. If you don't shift out of park within a certain timeframe after entering the valet code, it might lock the gear shift until reauthorized.

 

[Mach-Lee]

Also reading the situation more here, I recommend having the valet move your car to the final parking spot while in your presence in case something doesn't work with the valet code. Don't just drop off the car and leave. If you want to drop without waiting, then give them a fob.

 

[JohnFoxeSheets]

Dang, that sucks.

When I was newly married I lived in NYC and had a reverse commute to the middle of New Jersey. There was no practical way to use public transit, so I bought the cheapest new car I could - a POS Sentra. It was delivered with only one key (the dealership couldn't find the second key).

Rather than park on the street, I got a monthly pass and parked the car at a tiny garage near where we lived. It was valet parking only since the cars were crammed in. One evening I dropped off my car in the single lane driveway tunnel down into the basement garage, shut the door, and said over my shoulder, "The key's in the car." and started to walk away. A valet says, "Where's the key?" "I just told you, in the car." I replied.

"The car's locked."

I asked if they had a slim jim. They said they didn't and would need to break a window. I told them NFW and we needed to figure out something else. They said go to my apartment and get the spare, but yeah, I had no spare. So I looked and there was just enough room to the side of the car to fit it up against the wall and leave enough space for other cars to pass. But of course this meant moving a locked car sideways. I told them my plan, and they asked me, "Who're we gonna do that?" I said, "we'll lift the car." There were a bunch of us, including one guy that was like 6'5" and maybe 260 pounds of muscle. Moving the back of the car was trivial, but moving the front was a bit more work because engine, and it was facing downhill. Anyway, we got it done in a couple minutes and I told them I'd get the spare key at the dealership and return asap.

That evening my wife and I head out to Brooklyn on the subway go to the dealership and get the spare key they had miraculously found when I called to bitch at them. We got the key but it was too late to get back to the garage before they closed. So the next morning I head over the the garage first thing in the morning to give them the key and get my car. The car was sitting there, unlocked.

They had a slim jim.

 

[DevSecOps]

Not sure if that will be possible for security reasons. If somebody gets your FordPass account info, they could install the app, generate a valet code, and steal your car?

The app would have to verify you're using the actual device paired with PAAK before generating a valet code. It's still risky remotely generating a code that could be used to steal your car. I think Ford only wants to generate valet codes locally in the car right now.

@DevSecOps Thoughts on this?

And FYI, you would have to test this but I think you need to enter the valet code again before moving the car if it's been sitting in park too long, even if it's running. The car authorizes when you try to shift it out of park. If you don't shift out of park within a certain timeframe after entering the valet code, it might lock the gear shift until reauthorized.

I think the issue with the proposed solution is problematic due to potential credential compromise and the liability to Ford

As of right now only an authorized phone with a generated key pair or a paired fob can engage the vehicle to drive or generate valet codes. If someone gets your credentials right now they could not drive the vehicle because they wouldn't have a key pair. However, the proposed solution would give someone who obtained FP credentials to use the app or API endpoints to generate a code sufficient to drive the vehicle. To @Mach-Lee comment about PaaK, that's the key pair I'm referring to and it's only stored in the car and phone. So, remotely, which is what the OP is referring to, it wouldn't be possible to verify the key pair.

The credentials could be phished, harvested or through a breach of Ford servers. Imagine every Mach E in a data breach suddenly becoming drivable. The data through the API also contains the vehicle location so they would really have all they need to steal thousands of cars.

The lockout due to invalid attempts is standard security practice. If valet left the car unlocked, it's what's keeping your car from being stolen. You can't protect against user error/stupidity. My guess is that they attempted to use the door code to start the car.

I don't see this proposal happening. It's definitely possible to do with a lot of revised security but for the 1% of people who use valet I don't think it'll make a dev pipeline anytime soon.

I think it's a good post so that people can be educated about the valet code and set expectations if they ever give the code to an attendant. Make sure they understand that there's two codes and they each have a purpose. It's also good for PaaK users to know in the event that they need a tow and have no fob.

 

[FrunkMonk-e]

I think the issue with the proposed solution is problematic due to potential credential compromise and the liability to Ford

As of right now only an authorized phone with a generated key pair or a paired fob can engage the vehicle to drive or generate valet codes. If someone gets your credentials right now they could not drive the vehicle because they wouldn't have a key pair. However, the proposed solution would give someone who obtained FP credentials to use the app or API endpoints to generate a code sufficient to drive the vehicle. To @Mach-Lee comment about PaaK, that's the key pair I'm referring to and it's only stored in the car and phone. So, remotely, which is what the OP is referring to, it wouldn't be possible to verify the key pair.

The credentials could be phished, harvested or through a breach of Ford servers. Imagine every Mach E in a data breach suddenly becoming drivable. The data through the API also contains the vehicle location so they would really have all they need to steal thousands of cars.

The lockout due to invalid attempts is standard security practice. If valet left the car unlocked, it's what's keeping your car from being stolen. You can't protect against user error/stupidity. My guess is that they attempted to use the door code to start the car.

I don't see this proposal happening. It's definitely possible to do with a lot of revised security but for the 1% of people who use valet I don't think it'll make a dev pipeline anytime soon.

I think it's a good post so that people can be educated about the valet code and set expectations if they ever give the code to an attendant. Make sure they understand that there's two codes and they each have a purpose. It's also good for PaaK users to know in the event that they need a tow and have no fob.

They could require two-factor authentication for this specific issue.

 

[DevSecOps]

They could require two-factor authentication for this specific issue.

As I said, they could implement other security measures, but that requires much more work. 2FA in the form of email or text is very week and if there was a data compromise the dataset would contain both of those data points which wouldn't be good. Additionally with TOTP, the provider, Ford, and the end user share the same secret, which could also be in the dataset. Implementing 2FA, as in a U2F would be better but trying to get all these retired folks to adopt that isn't likely. FordPass was designed around being a key fob in physical presence of the car. If you move out of BT range you'll see 90% of the features disappear as they are only used when the phone is connected to the car.

As someone who is in data and infrastructure security, I would welcome more security any day. I'm just trying to be realistic with your expectations of a car company that's way behind the ball technologically.

 

[ChuckA]

I had difficulty Valet Mode myself. I give the valet the keyfob.

 

[FrunkMonk-e]

As I said, they could implement other security measures, but that requires much more work. 2FA in the form of email or text is very week and if there was a data compromise the dataset would contain both of those data points which wouldn't be good. Implementing 2FA, as in a OTP would be better but trying to get all these retired folks to adopt that isn't likely. FordPass was designed around being a key fob in physical presence of the car. If you move out of BT range you'll see 90% of the features disappear as they are only used when the phone is connected to the car.

As someone who is in data and infrastructure security, I would welcome more security any day. I'm just trying to be realistic with your expectations of a car company that's way behind the ball technologically.

Some very small companies implement two-factor authentication. A company like Ford could use biometric authentication pretty easily.

 

[DevSecOps]

Some very small companies implement two-factor authentication. A company like Ford could use biometric authentication pretty easily.

Biometric is only locally on the mobile device (kinda like saving a password), it wouldn't do anything for the API. If hackers or bad actors got credentials they would script something to use the API. They wouldn't mess with FordPass.

Again, I would encourage more security, but we have a hard time getting release notes from Ford. I had a previous vehicle that would allow me to roll down/up the windows from afar. Ford see's that as a danger. Smaller companies have less vehicles and less complexity to navigate through to do things. Remember, FordPass isn't just for the MachE, it's for all their vehicles including ICE.

I'm not trying to argue with you, I'm just trying to explain how it is. I think your post is educational for a lot of members here about a very unused function. I'll see my way off this thread. I was asked for my opinion so I gave it, but you and any other members are free to push as hard as you want for heightened security to support remote valet codes. I'm all for the fight for heightened security!

Also, a side note: We had a member get banned about a month ago for an avatar with a gun. While I personally have zero issue with guns (or funny avatars), this is an EV forum and there's a lot of easily triggered people (and administrators) here. Tread carefully.

 

[ChuckA]

The only time I used valet mode I enabled the mode but gave them the fob. This seemed like the easiest way to deal with the situation without potential trouble.

Did putting the car in valet mode prevent the attendant from changing settings and turning on the radio?

Sponsored