PSA: Unauthorized API use can disable your FordPass account

[RedRider]

So if Ford doesn't want third parties accessing their servers, why didn't the just start filtering and rejecting those requests but leave the FordPass app and website alone? Do you think this decision got seriously discussed inside Ford? I can't imagine senior management agreeing to something that would disenfranchise so many users without notice and less drastic alternative solutions.

Sponsored

 

[Herb]

Maybe I am missing something......but if they have your user name and password then why would Ford prevent them from connecting? If you give your fob to somebody, then they might drive off with your car. I don't see any other place to point our finger at except the mirror.

This is likely why Ford is likely suspending our user accounts, as we gave our user name and password to our utility company or someone who offers to monitor our EV. I suspect they are trying to protect customers from 12v drain and warranty for those who signed-up for a utility company discount. As ocr_salty wrote, he was unaware that his utility company was using smartcar. How many other MachE customers, who may not be as tech-savy as this forum are in the same boat? Could Ford have communicated better? I believe that we all would say yes.

After about 5 weeks my account has now been unblocked. They’ve not said yet which app was to blame. The widget or smartcar, though it could be both. I have passed this thread on to the expert at my energy supplier as I’ve asked them to look into the legitimacy of smartcar (who they chose to use). So will wait to see what they find.

As ocr_salty calls out, it is about the legitimacy of smartcar and other services. When I was suspended for using Optiwatt, the Fordpass guide told me that smartcar and others are not authorized to use Ford services. As a community, we should approach tronity, smartcar, and our app providers to work with Ford on gaining legitimate access. It appears that tronity is already in discussions with Ford from a previous post to gain access. I hope that this is a sign of things to come.

 

[eltonlin]

I got the "IBM security verify" email and initially thought its was spam, but now see that it's a horrible notification that my account is suspended.

I had added my car to optiwatt and recurrent; deleted the car from both of those services now.

Any tips on the best way to re-enable the account? I've seen online chat and phone...

 

[SnBGC]

This is likely why Ford is likely suspending our user accounts, as we gave our user name and password to our utility company or someone who offers to monitor our EV. I suspect they are trying to protect customers from 12v drain and warranty for those who signed-up for a utility company discount. As ocr_salty wrote, he was unaware that his utility company was using smartcar. How many other MachE customers, who may not be as tech-savy as this forum are in the same boat? Could Ford have communicated better? I believe that we all would say yes.



As ocr_salty calls out, it is about the legitimacy of smartcar and other services. When I was suspended for using Optiwatt, the Fordpass guide told me that smartcar and others are not authorized to use Ford services. As a community, we should approach tronity, smartcar, and our app providers to work with Ford on gaining legitimate access. It appears that tronity is already in discussions with Ford from a previous post to gain access. I hope that this is a sign of things to come.

I am actually shocked that anyone would give their username and password out to strangers. My utility company wants my charging data so they offered to pay me a small fee if they could collect it from the EVSE. If they would have asked me to give them my FordPass or Ford.com credentials then I would have told them to pound sand. I have no idea what tronity or smart car is, but if we want to share data with those places then we should collect it ourselves, clean it and then send it to them. Our phones collect the data and then we send it to them as needed. That way we know what information they are getting and how often.

I am already uncomfortable with the fact that Ford can override and take control of my car's functions......it will be a cold day in hell before I knowingly give that same power to 3rd party companies too.

 

[Herb]

I am actually shocked that anyone would give their username and password out to strangers. My utility company wants my charging data so they offered to pay me a small fee if they could collect it from the EVSE. If they would have asked me to give them my FordPass or Ford.com credentials then I would have told them to pound sand. I have no idea what tronity or smart car is, but if we want to share data with those places then we should collect it ourselves, clean it and then send it to them. Our phones collect the data and then we send it to them as needed. That way we know what information they are getting and how often.

I am already uncomfortable with the fact that Ford can override and take control of my car's functions......it will be a cold day in hell before I knowingly give that same power to 3rd party companies too.

The problem is that Optiwatt (and all of these apps) provided a login screen which mimicked the Fordpass login screen. This is something that phishing does, not legitimate companies. I agree with you 100% on sharing userid and password with someone else. If you are reading this Optiwatt, Smartcar, and others, how about getting legit with Ford so that we can continue to use your service.

 

[cditty]

So if Ford doesn't want third parties accessing their servers, why didn't the just start filtering and rejecting those requests but leave the FordPass app and website alone? Do you think this decision got seriously discussed inside Ford? I can't imagine senior management agreeing to something that would disenfranchise so many users without notice and less drastic alternative solutions.

This is an easy one to answer. Ford either didn't care or think about the customers on this. Heck, I financed through ford. If I hadn't set up autopay, how would I make payments? If I used PAAK and was on a trip, how would I get the car and myself home? If they had even had one conversation about this and thought about that stuff, they would have thought otherwise.

 

[opus]

Turns out, I did have an Optiwatt account from March that I'd completely forgotten about. Had to do a search through my email to find a reference to it. So I removed my car from that-do I need to do anything else before I reach out to Ford? Do I need to reach out to the devs at Optiwatt as well?

 

[macchiaz-o]

Turns out, I did have an Optiwatt account from March that I'd completely forgotten about. Had to do a search through my email to find a reference to it. So I removed my car from that-do I need to do anything else before I reach out to Ford? Do I need to reach out to the devs at Optiwatt as well?

Change your Ford.com password as soon as possible after Ford restores your access.

 

[Izzle]

Really doubtful it was HA. There's likely thousands of people using that integration because it's used for both EV and ICE vehicles.

Can confirm, I use it, works great! But I'll be ready if they flag my account, thanks for he heads up OP.

 

[macchiaz-o]

This is an easy one to answer. Ford either didn't care or think about the customers on this. Heck, I financed through ford. If I hadn't set up autopay, how would I make payments? If I used PAAK and was on a trip, how would I get the car and myself home? If they had even had one conversation about this and thought about that stuff, they would have thought otherwise.

I have a loan with Ford but I've never made any payments through Ford Credit's web site. You have several other options.

Paak users should always set up a door pin and a backup start password.

While I agree Ford should have reiterated its policy more often and more loudly, it's been in their customer terms for many years now:

Ford authorizes you to view and download the materials at this Site only for your personal, non-commercial use.​

And Ford's terms for the FordPass service do clearly state that your limited license to the data and services they provide are restricted from being used in several ways. Any violation of these restrictions may be cause for disabling access.

The following is from the terms that every North American user agreed to in order to sign in to FordPass (with my own emphasis added):

14. Limited Licenses

FordPass and any content (images, logos, text, music, sounds, wallpaper, badges, etc.), data or software made available through or in connection with FordPass (including via FordPass-related websites) (collectively, “FordPass Content”) is owned by us or used under license. FordPass Content is protected by worldwide copyright, trademark, patent, trade secret, or other proprietary rights whether or not a copyright notice or other proprietary mark is present. You agree to comply with all copyright laws in your use of FordPass Content, including preventing any unauthorized copying. Except as expressly provided herein, we do not grant any express or implied proprietary rights to FordPass Content.

Subject to your compliance with these Terms and any other terms communicated in connection with specific FordPass Content, we grant you a non-exclusive, non-transferable, limited right to access, view, use, display and listen to FordPass Content for your personal, non-commercial use only. You agree not to dispute our claims of ownership or validity of our rights in FordPass Content.

If you violate any of the Terms, your rights will immediately terminate and we may terminate your access to FordPass Content without notice and without any refund of fees, if applicable.

Any right or authorization granted to you by us is also subject to the following restrictions:

• you may not, nor allow third parties to, create derivative works, use any data mining, robots, or similar data gathering and extraction tools, create a database, download or store FordPass Content other than as licensed above, link or frame FordPass Content, extract, derive or attempt to extract or derive any source code or structure of all or any portion of FordPass Content by reverse engineering, disassembly, decompilation or any other means;
• you may not use FordPass Content in any manner that is unlawful, abusive, defamatory, deceptive, or invasive of another’s privacy;
• you may not use FordPass Content with other content or in a manner that impersonates any person, business or entity, including us;
• you may not interfere, try to interfere, disrupt, or try to disrupt our servers or networks, or disobey any of our network access or security requirements;
• you may not use FordPass Content to engage in conduct that reflects poorly upon or disparages our reputation or goodwill; and
• you may not use FordPass Content in conjunction with adult content or that promotes illegal activities, gambling, or the sale of tobacco or alcohol.
• If you are not the bill payer for the mobile telephone or device being used to access FordPass Content, you will be assumed to have received permission from the bill payer to use FordPass Content or Features.

 

[ThatGuyLando]

I'm curious for those using these third party apps:

Are these applications literally asking you for username+password or are they sending you to ford's login page?

I'm trying to set up a Developer account to see what it takes to create an application that follows all their guidelines.

They have a fordconnect api which clearly states in the description
"FordConnect uses OAuth 2.0 authorization code flow and authorization scopes."

Meaning that if the third party apps are using OAuth (which there are several ways of implementing) then you should be good.

EDIT: Dear lord, after making a developer account, in pure Ford fashion I'm met with this:

API reference
There was an error requesting this API.

 

[macchiaz-o]

I'm curious for those using these third party apps:

Are these applications literally asking you for username+password or are they sending you to ford's login page?

I'm trying to set up a Developer account to see what it takes to create an application that follows all their guidelines.

They have a fordconnect api which clearly states in the description
"FordConnect uses OAuth 2.0 authorization code flow and authorization scopes."

Meaning that if the third party apps are using OAuth (which there are several ways of implementing) then you should be good.

EDIT: Dear lord, after making a developer account, in pure Ford fashion I'm met with this:

Smartcar asks for the user's Ford username and password.

Sites like Recurrent Auto claim it's OAuth, but they only mean the connection between the one third party (e.g. Recurrent) and the other third party, Smartcar. It's very misleading.

 

[opus]

I finally got in touch with someone via Ford chat yesterday. All they would tell me is that my account is blocked, and that someone from "our IT department" will have to review it. I asked them for a list of apps that are "unauthorized", and unsurprisingly, they didn't have one to give me. I removed my car from Optiwatt, and emailed the developer to confirm that it had been removed from their system. So now I guess I wait for Ford's decision.

Of all of the problems I've had since ordering this car three years ago–from delivery, to software, to hardware–this might actually be the final straw. I don't even know what else is out there, but it's time to start researching.

 

[bp99]

I asked them for a list of apps that are "unauthorized", and unsurprisingly, they didn't have one to give me.

I would not expect them to have a such a list. Most unauthorized apps are trying to look like Ford Pass when talking to Ford's servers and are not announcing themselves. They likely know of a few offenders, but don't have a comprehensive list. You can't have a list of what you don't know.

I would expect that they have a list of authorized apps as those require registration with Ford. Although I would not be surprised if Ford doesn't make it available to customer service. This is what they should make available with a link from within Ford Pass under Account > Help.

 

[cditty]

I have a loan with Ford but I've never made any payments through Ford Credit's web site. You have several other options.

Paak users should always set up a door pin and a backup start password.

While I agree Ford should have reiterated its policy more often and more loudly, it's been in their customer terms for many years now:

Ford authorizes you to view and download the materials at this Site only for your personal, non-commercial use.​

And Ford's terms for the FordPass service do clearly state that your limited license to the data and services they provide are restricted from being used in several ways. Any violation of these restrictions may be cause for disabling access.

The following is from the terms that every North American user agreed to in order to sign in to FordPass (with my own emphasis added):

14. Limited Licenses

FordPass and any content (images, logos, text, music, sounds, wallpaper, badges, etc.), data or software made available through or in connection with FordPass (including via FordPass-related websites) (collectively, “FordPass Content”) is owned by us or used under license. FordPass Content is protected by worldwide copyright, trademark, patent, trade secret, or other proprietary rights whether or not a copyright notice or other proprietary mark is present. You agree to comply with all copyright laws in your use of FordPass Content, including preventing any unauthorized copying. Except as expressly provided herein, we do not grant any express or implied proprietary rights to FordPass Content.

Subject to your compliance with these Terms and any other terms communicated in connection with specific FordPass Content, we grant you a non-exclusive, non-transferable, limited right to access, view, use, display and listen to FordPass Content for your personal, non-commercial use only. You agree not to dispute our claims of ownership or validity of our rights in FordPass Content.

If you violate any of the Terms, your rights will immediately terminate and we may terminate your access to FordPass Content without notice and without any refund of fees, if applicable.

Any right or authorization granted to you by us is also subject to the following restrictions:

• you may not, nor allow third parties to, create derivative works, use any data mining, robots, or similar data gathering and extraction tools, create a database, download or store FordPass Content other than as licensed above, link or frame FordPass Content, extract, derive or attempt to extract or derive any source code or structure of all or any portion of FordPass Content by reverse engineering, disassembly, decompilation or any other means;
• you may not use FordPass Content in any manner that is unlawful, abusive, defamatory, deceptive, or invasive of another’s privacy;
• you may not use FordPass Content with other content or in a manner that impersonates any person, business or entity, including us;
• you may not interfere, try to interfere, disrupt, or try to disrupt our servers or networks, or disobey any of our network access or security requirements;
• you may not use FordPass Content to engage in conduct that reflects poorly upon or disparages our reputation or goodwill; and
• you may not use FordPass Content in conjunction with adult content or that promotes illegal activities, gambling, or the sale of tobacco or alcohol.
• If you are not the bill payer for the mobile telephone or device being used to access FordPass Content, you will be assumed to have received permission from the bill payer to use FordPass Content or Features.

While I can understand this, they are still taking away access from car features that I paid for. Ford should have blocked the incoming api calls from the websites and not canceled the user access to paid for features.

Just going to use my trip yest as an example. I was 1.5hrs away from home. If I had been using paak and that access had been removed, I still have my number code. Wait, what is it? Hell, I haven't used it since I set up the car. I can't remember it. Wait, I have it in my phone. Phew. Now what? Can we actually start the car with a code? (I don't know. Can we?) If we can't, who is going to pay for having my car towed 90 miles home or to the dealership to troubleshoot?

But the fact that ford decided to lock people out of the features that they use without thinking when they should have handled it a different way and then notified the users. Punishing the customer is never a good way to get repeat buyers. This is my first ford. If I continue to be locked out of the app and the features I use, then it will be the last. I like the car, but I don't like having paid for features and then being told I can't use them.

Sponsored