PSA: Unauthorized API use can disable your FordPass account

[sockmeister]

Wow, this thread has blown up since the adventures some of us had earlier in the year. Seems like Ford finally got aggressive about this after racking up some excessive API usage bills.

The problem is, they're not going about it the right way. Blindly locking folks out, with no clear communication OR process in place for the help teams to deal with it is just causing a major headache. I believe that they'll get to the point where a developer API is available and mature with rate limits and everything else, but they're just moving slowly.

For those who are still locked out, it's a matter of getting a hold of the right team that can unlock your account. You've got to get your case transferred to the IT Security Team and they can unlock it.

Definitely sign out of whatever apps related to your car's data that you've ever opened an account with (and if you want to risk it in the future, just log in with a secondary sacrificial account that's tied to your main account. That's what I've done).

The reason the accounts get flagged is because of the user-agent passed to the server when making an API call doesn't match their own app's. It's completely stupid.
I feel for you all who are in that boat right now -- I was locked out for a few months before finally getting to the right department.

Sponsored

 

[ChasingCoral]

Wow, this thread has blown up since the adventures some of us had earlier in the year. Seems like Ford finally got aggressive about this after racking up some excessive API usage bills.

The problem is, they're not going about it the right way. Blindly locking folks out, with no clear communication OR process in place for the help teams to deal with it is just causing a major headache. I believe that they'll get to the point where a developer API is available and mature with rate limits and everything else, but they're just moving slowly.

For those who are still locked out, it's a matter of getting a hold of the right team that can unlock your account. You've got to get your case transferred to the IT Security Team and they can unlock it.

Definitely sign out of whatever apps related to your car's data that you've ever opened an account with (and if you want to risk it in the future, just log in with a secondary sacrificial account that's tied to your main account. That's what I've done).

The reason the accounts get flagged is because of the user-agent passed to the server when making an API call doesn't match their own app's. It's completely stupid.
I feel for you all who are in that boat right now -- I was locked out for a few months before finally getting to the right department.

I agree completely.

The bad news is Ford is coming down hard on this and doing it in a way that penalizes the customer, then providing the customer with poor responses via their Ford Guides.

The good news is that I can tell you it has now come to the attention of the top folks on their cloud services side.

 

[sockmeister]

I agree completely.

The bad news is Ford is coming down hard on this and doing it in a way that penalizes the customer, then providing the customer with poor responses via their Ford Guides.

The good news is that I can tell you it has now come to the attention of the top folks on their cloud services side.

If there's any way I can add another voice to the requests/fire, I'd love to do so. I can't even use my own app because of this.

 

[ChasingCoral]

I just spoke to the FordPass Guide who called me back after the escalation. It sounds to me like they are guessing.

"Maybe it is some sort of home automation app. Please delete every home automation app to see if that works."

"It might be an external service. Please delete your Recurrent app as well."

"It also may be a service you have for getting a discount to charge the vehicle."

"By the way, if your account is reinstated and a violation is reported again your account will be locked out permanently."

"If you really want to use any home automation apps, maybe you just won't be able to use FordPass"

@Ford Motor Company: I bought a Mustang Mach E and an F-150 Lightning from you. The app has been working for a year and a half. I was using those automation apps before I bought either car. Why can't you tell me what is causing the issue and have me delete that one rather than turning my smartphone into a dumb phone?

I'm really questioning Ford's ability to handle the technology they are selling.

The good news is that this issue has now come to the attention of the top folks on their cloud services side. I'm back in my accounts now and all is fine again. The following is from those sources in Ford who know what is going on wrt this problem.

No surprise, it has NOTHING to do with those home automation apps. I'll be reinstalling those and rebuilding whatever broke by deleting them.

It also has nothing to do with the use of charging apps like Electrify America, ChargePoint, etc. They are independent log-ins with no access the Ford account or direct vehicle access other than through the charging ports via approved charging communications protocols.

It was all about Recurrent and their use of the Smartcar service they use to access information. I've discontinued that service and changed my Ford password. Don't use any service that accesses your account using Smartcar or you will almost certainly be locked out. @Gimme_my_MME speaks to that in posts above.

The combination of actions had also killed the PaaK on my Mach E and my Lightning. I was able to re-activate PaaK in one try in the Lightning but had an issue in the Mach E. If the vehicle won't connect to Ford and stalls, delete PaaK in that vehicle:
Paak reset
From SYNC :
Tap vehicle icon
Tap Settings/General
Tap Reset
Tap FordPass Connection Reset
Tap Phone as a Key Reset

Then reactivate Paak key setup for all drivers on vehicle

One other insight: these uncontrolled accesses of the vehicle's information can cause battery drain. Some here have reported dead LVBs that are probably driven by this. I have been receiving these warnings for the last few weeks (since a few weeks after signing up with Recurrent):

Hopefully that power drain issue will go away now as well.

 

[ChasingCoral]

If there's any way I can add another voice to the requests/fire, I'd love to do so. I can't even use my own app because of this.

Unless you get Ford to approve your app, you may not be able to use it without risking another lockout.

 

[mkhuffman]

The good news is that this issue has now come to the attention of the top folks on their cloud services side. I'm back in my accounts now and all is fine again. The following is from those sources in Ford who know what is going on wrt this problem.

No surprise, it has NOTHING to do with those home automation apps. I'll be reinstalling those and rebuilding whatever broke by deleting them.

It also has nothing to do with the use of charging apps like Electrify America, ChargePoint, etc. They are independent log-ins with no access the Ford account or direct vehicle access other than through the charging ports via approved charging communications protocols.

It was all about Recurrent and their use of the Smartcar service they use to access information. I've discontinued that service and changed my Ford password. Don't use any service that accesses your account using Smartcar or you will almost certainly be locked out. @Gimme_my_MME speaks to that in posts above.

The combination of actions had also killed the PaaK on my Mach E and my Lightning. I was able to re-activate PaaK in one try in the Lightning but had an issue in the Mach E. If the vehicle won't connect to Ford and stalls, delete PaaK in that vehicle:
Paak reset
From SYNC :
Tap vehicle icon
Tap Settings/General
Tap Reset
Tap FordPass Connection Reset
Tap Phone as a Key Reset

Then reactivate Paak key setup for all drivers on vehicle

One other insight: these uncontrolled accesses of the vehicle's information can cause battery drain. Some here have reported dead LVBs that are probably driven by this. I have been receiving these warnings for the last few weeks (since a few weeks after signing up with Recurrent):

Hopefully that power drain issue will go away now as well.

The custom apps like the Android widget many of us were (are) using is technically a violation of the same terms and agreement they are using to justify locking our accounts, right? I am afraid to reinstall the widget and risk getting my account locked again.

 

[sockmeister]

The custom apps like the Android widget many of us were (are) using is technically a violation of the same terms and agreement they are using to justify locking our accounts, right? I am afraid to reinstall the widget and risk getting my account locked again.

Yes, it's likely. Anything that makes a request to the API runs the risk of flagging your account. Test it with a dummy account tied to your car, first.

 

[sockmeister]

The good news is that this issue has now come to the attention of the top folks on their cloud services side. I'm back in my accounts now and all is fine again.

I really want to believe this. Back in February of this year I had brought it up to the engineering team when I finally got a hold of them, but it seems like since then no changes were made to handle it. Hopefully things are different now.

And yeah, there's an API call you can make that forces a "wakeup" of the car to poll its information. I was aware of this and made it an optional setting in my app with time limits, but I don't think every app takes this into consideration and it could definitely use power if not done conservatively. Waking up the 12v system to have the car send data to the server uses tiny, but not negligible, amounts of power. Some 3rd party apps were doing this every 2 minutes 24/7.

 

[Gimme_my_MME]

Some 3rd party apps were doing this every 2 minutes 24/7.

Smartcar is doing it hundreds of times a minute

 

[ChasingCoral]

The custom apps like the Android widget many of us were (are) using is technically a violation of the same terms and agreement they are using to justify locking our accounts, right? I am afraid to reinstall the widget and risk getting my account locked again.

I ditched that months ago when the API issues first surfaced. It was too finicky anyway.

 

[ChasingCoral]

Smartcar is doing it hundreds of times a minute

I've also told Recurrent why I disconnected and I won't reconnect until they have Ford's approval. I'll be Ford's guinea pig but not Recurrent's. Recurrent said they are checking into the problem as well.

 

[kennelh]

I've also told Recurrent why I disconnected and I won't reconnect until they have Ford's approval. I'll be Ford's guinea pig but not Recurrent's. Recurrent said they are checking into the problem as well.

I forgot about my Recurrent account and removed the Mach-E this morning.

 

[sockmeister]

Smartcar is doing it hundreds of times a minute

That's bad, but slightly different if they're just polling the servers (and not the car). Still that would be insane (imagine scaling that to thousands of users... )

 

[Av8tor]

Me too. Removed Vehicle from Tronity, ABRP Tronity Link, and Recurrent. Requested my account be reactivated.

 

[ChasingCoral]

This was posted in another thread in August and deserves repeating:

Use Caution When Sharing Your Login Credentials

Important Notice: We’ve become aware other companies are asking Ford customers for FordPass account login credentials and information from their vehicles to provide services. By sharing your FordPass account information with outside companies, you’re putting your personal information and vehicle functionality at risk. Before sharing information with any company, please read their privacy policies to understand what data is collected and how it is used.

Sponsored