PSA: Unauthorized API use can disable your FordPass account

[JimmyMachE]

Yes, OBD2 dongle should be used when you sit in the car and ignition is on. But it will show the % SOC of the 12V battery and parasitic battery drain from last night - values not accessible with FordPass.

Sponsored

 

[ChasingCoral]

Good news: I'm back in my Ford.com and FordPass now.

Yesterday morning I was sitting in a tree stand, hunting deer, and I received the mystery email from IBMCloud.com telling me I was now FALSE again. I checked my FordPass app and Error code CSIAH0320E had struck again.

I was locked out of my Lightning. Fortunately, the pillar and start codes worked. Otherwise, I would have been literally locked out in the cold.

Since yesterday I've exchanged over 30 emails with Smartcar, Recurrent, and Optiwatt. I had a 30 minute call with Victor Black, Director of Customer Success at Smartcar.

Recurrent had shut down all polling of my system on November 20th (the first incident - thanks @liz_at_recurrent. Y'all had done your job). Smartcar confirmed that. However, it seems an Optiwatt account that was polling Marlin (My Mach E) was the issue.

Here's the thing: I've never had an Optiwatt account. Smartcar and Optiwatt wouldn't tell me who set that account up but did tell me it was set up before Marlin was delivered. That Optiwatt account was apparently still trying to contact Marlin. I've been assured by Optiwatt and Smartcar that offending account has now been deleted as well.

So, I reached back out to my contact at Ford and I'm back online. Fortunately PaaK is still working on Marlin. Sherman (my Lightning) is in the shop getting a malFrunktion fixed. I'll check his PaaK when I get him back.

Now the real mystery is who set up that Optiwatt account? Why? How?

 

[Mach-Lee]

Good news: I'm back in my Ford.com and FordPass now.

Yesterday morning I was sitting in a tree stand, hunting deer, and I received the mystery email from IBMCloud.com telling me I was now FALSE again. I checked my FordPass app and Error code CSIAH0320E had struck again.

I was locked out of my Lightning. Fortunately, the pillar and start codes worked. Otherwise, I would have been literally locked out in the cold.

Since yesterday I've exchanged over 30 emails with Smartcar, Recurrent, and Optiwatt. I had a 30 minute call with Victor Black, Director of Customer Success at Smartcar.

Recurrent had shut down all polling of my system on November 20th (the first incident - thanks @liz_at_recurrent. Y'all had done your job). Smartcar confirmed that. However, it seems an Optiwatt account that was polling Marlin (My Mach E) was the issue.

Here's the thing: I've never had an Optiwatt account. Smartcar and Optiwatt wouldn't tell me who set that account up but did tell me it was set up before Marlin was delivered. That Optiwatt account was apparently still trying to contact Marlin. I've been assured by Optiwatt and Smartcar that offending account has now been deleted as well.

So, I reached back out to my contact at Ford and I'm back online. Fortunately PaaK is still working on Marlin. Sherman (my Lightning) is in the shop getting a malFrunktion fixed. I'll check his PaaK when I get him back.

Now the real mystery is who set up that Optiwatt account? Why? How?

Hmm, are you sure you didn't sign up for another app or program that uses Optiwatt on the back end? The provider may have been hidden from you. Maybe a utility off-peak program? Or maybe you used it long ago with a different vehicle? Smartcar would be able to log in and add any other vehicles on your account automatically with your credentials. Or maybe you just used it briefly and forgot about it? I would go in my email history and search for Optiwatt.

You have some strange history: https://www.macheforum.com/site/threads/mach-e-car-hacking.9718/

 

[ChasingCoral]

Hmm, are you sure you didn't sign up for another app or program that uses Optiwatt on the back end? The provider may have been hidden from you. Maybe a utility off-peak program? Or maybe you used it long ago with a different vehicle? Smartcar would be able to log in and add any other vehicles on your account automatically with your credentials. Or maybe you just used it briefly and forgot about it? I would go in my email history and search for Optiwatt.

I did that. I searched my email and no reference to Optiwatt until the email chain that started yesterday. I checked Optiwatt and don't show an account. I checked my keychain and have no saved credentials for Optiwatt. I did contact my power company (Pepco) to see if they had any programs but no dice.

When discussing this mystery Optiwatt account, my contact at Ford asked me if I had an Android phone. Nope. Definitely not me. Hmmm.

You have some strange history: https://www.macheforum.com/site/threads/mach-e-car-hacking.9718/

Agreed! I don't know if one of those is related. I raised those external attempts to connect to Marlin with my Ford contact today.

 

[Ravensfan1996]

How long after you deleted your vehicle from Optiwatt did your account get restored ?

It’s not the simple, Ford has to reinstate your Account. I deleted optiwatt and a widget many months ago but got blocked 2.5 weeks ago on Nov 28th. I called ford, they said someone would call in 3-5 days. Got a call 3 days later they said they would unlock it and call me. No calls then i went away for a few days, called today they said it was unlocked, but i still couldn’t get in. They said they wil work on it, and got me back in toda

 

[ThatGuyLando]

I got a reply from the co-founder of Tronity, said they are almost ready to release a Ford api compliant update in early 2023.

 

[mkhuffman]

I got a reply from the co-founder of Tronity, said they are almost ready to release a Ford api compliant update in early 2023.

I got a similar email from Nils a few weeks ago. I am not holding my breath.

 

[ChasingCoral]

I got a reply from the co-founder of Tronity, said they are almost ready to release a Ford api compliant update in early 2023.

If you read that carefully it doesn’t seem to say the new API is Ford compliant. It only infers that it is.

 

[danielcb]

If you read that carefully it doesn’t seem to say the new API is Ford compliant. It only infers that it is.

They mentioned that they are working with Ford on a new API, and I believe this is the FordPass API using Oauth2 that is mentioned on Ford's developer website and that is functionally incomplete (based on some previous reports here), at this time.

The biggest issue here is that Ford, decided do put all eggs in the same basked and didn't properly separated sensitive API Calls (unlock, lock, start car) from less sensitive, read only API Calls in their current FordPass API, while not providing a vetted way for 3rd parties accessing those read only APIs.

If they had implemented this properly, with this security separation in mind, 3rd Party that are not aiming to do anything nefarious, like Tronity, could be consuming only the ReadOnly API calls and be away of what is causing the security concerns, such and the Lock and Unlock API calls.

In this mess, IMHO every one is wrong:

1) Ford is wrong by designing a terrible API without proper thinking about securing sensitive API calls, and when their APIs was identified being misused, implementing the easy "fix" of just blocking the account and not the one making the API calls while warning the customer first.

2) 3rd Parties are wrong, specially, SmartCar for deceiving customers by pretending they were logging to FordPass legitimately, or Tronity for asking customer account knowing that this wasn't allowed by FordPass T&Cs.

3) Customers (like me) for not thinking about the repercussions of their acts and trusting blindly their login data to 3rd parties (Tronity in my case).

At least, after all this mess, it seems we are finally moving in the correct direction. Ford surely has a lot of work to do and I hope high in the chain of the new "Ford Model E" they have in mind how important is and it will be software quality, in all aspects, for them to successful.

However, I'm with a bit of mixed feelings for not going with Tesla at this point. Undoubtedly, they know their way around software. TeslaFi, build on top of Tesla's public API is simply amazing...

 

[danielcb]

For fellow Canadian customers, the Canada Ford Pass Phone number you can call is:

1 (855) 542-7821

 

[danielcb]

Actually, reading TeslaFi documentation, they also use same APIs as Tesla's Mobile Apps, so there is no offical 3rd party API: https://tesla-api.timdorr.com/

So I think the issue here is more on Fords lack of capacity to serve so many requests (of course, they are using IBM cloud...) and 3rd parties misusing the APIs.

 

[ThatGuyLando]

Actually, reading TeslaFi documentation, they also use same APIs as Tesla's Mobile Apps, so there is no offical 3rd party API: https://tesla-api.timdorr.com/

So I think the issue here is more on Fords lack of capacity to serve so many requests (of course, they are using IBM cloud...) and 3rd parties misusing the APIs.

Yeah their servers are REALLY slow. Even logging into your Ford account on your computer takes for ever to load things like connected services.

 

[kennelh]

? ? ? ? ?

No phone number. I'll send you a DM with the email address. You have to email them and it will take a couple days.

Yay! Just received a reply to my July 27th e-mail:

Apologies in our delayed response. We have actively been working with our IT and support teams to remedy the issue and provide you support as it relates to your Ford account being locked and/ or disabled. To raise a ticket with the Security team please call # 800-392-3673 , when prompted to state “Why you are calling today?”, state Ford account being locked and or disabled. Do not reference Early Access/EAP, as you will be incorrectly routed to an agent that won't be able to resolve your issue. The correct utterance you speak when calling will ensure you are correctly routed to a team member who can assist you.

 

[mkhuffman]

Yay! Just received a reply to my July 27th e-mail:

I bet we can all think of some incorrect utterances.

 

[ChasingCoral]

In this mess, IMHO every one is wrong:

1) Ford is wrong by designing a terrible API without proper thinking about securing sensitive API calls, and when their APIs was identified being misused, implementing the easy "fix" of just blocking the account and not the one making the API calls while warning the customer first.

2) 3rd Parties are wrong, specially, SmartCar for deceiving customers by pretending they were logging to FordPass legitimately, or Tronity for asking customer account knowing that this wasn't allowed by FordPass T&Cs.

3) Customers (like me) for not thinking about the repercussions of their acts and trusting blindly their login data to 3rd parties (Tronity in my case).

Agreed. The blame truly goes all the way around.

Sponsored