Joined
Nov 17, 2021
Threads
1
Messages
17
Reaction score
8
Location
Massachusetts
Vehicles
Mach-e Premium AWD Externded Range
Country flag
This is idiotic. Ford can work and create a proper API accessing OUR car data. But they did it in a lame way and now they ban people from their apps without any warnings or explanations. Running a python script that checks battery status is not an "unauthorized use", it's complete BS. They can impose some API limits, sure, but banning accounts out of the blue and sending a cryptic phishing looking email (from IBM what?) is just such a dick move.

BTW, PAAK stops working as well, so literary locked out of the car.
Sponsored

 
  • Like
Reactions: klb

eltonlin

Well-Known Member
Joined
Oct 4, 2020
Threads
8
Messages
1,184
Reaction score
1,497
Location
NorCal
Vehicles
FE Gray
Country flag
Well, I'm here because I'm locked out, and get this, the only thing I have connected is Home Assistant. Locally, on my own machine. I've not given the password to anyone, or to an outside service. It's all operating on my local machine.

Someone mentioned an email address to someone at Ford. Would you mind sending me that email address? I'll write to these folks from my ford.com address (sigh, I'm a salaried engineer at Ford with access to developer.ford.com API's, and now I have to go through this crap).

I repeat: I've not used any outside service. Just my own instance of Home Assistant. Those of you that think Home Assistant is safe might want to disable FordPass until we can figure out what's going on.
Try calling FordPass: +1 (833) 385-0512

They submitted a ticket and escalation and it was resolved in a day for me...
 

Skelton

Well-Known Member
Joined
Apr 26, 2021
Threads
0
Messages
91
Reaction score
81
Location
USA
Vehicles
2019 Volvo XC60, 2021 Mach-E GTPE
Country flag
I work in IT. If I had worked on this team, I would have looked at where all the traffic was coming from. WOW. We really have 1,00 users coming from this ip range? A 2 minute look would have determined that it was X app. Block that range. Issues a warning to the user and tell them what happened. Don't block them.
I disagree with your approach for a few reasons. Namely that the apps/services aren't the core problem. That is the user who's setting up those connections.

I do agree that users should be warned before taking action. It's dumb that they haven't.

The idea that whomever Ford's paying to drive this security should play whack-a-mole with whatever IP range that's almost definitely hosted by AWS, Google Cloud, or Azure is madness though. That's more work and less reliable as an ongoing fix.

Dealing with the customer is the right move. It allows you to proactively prevent future occurrences, but it does require Ford to not suck at communication. Publish it clearly, warn them once, and then disable. It probably wouldn't be a bad idea for that first lock-out to automatically re-enable after a set amount of time to see if they learned their lesson.
 

ThatGuyLando

Well-Known Member
Joined
Jan 21, 2022
Threads
11
Messages
584
Reaction score
640
Location
Iowa
Vehicles
22 CR1
Occupation
Software Developer
Country flag
I disagree with your approach for a few reasons. Namely that the apps/services aren't the core problem. That is the user who's setting up those connections.

I do agree that users should be warned before taking action. It's dumb that they haven't.

The idea that whomever Ford's paying to drive this security should play whack-a-mole with whatever IP range that's almost definitely hosted by AWS, Google Cloud, or Azure is madness though. That's more work and less reliable as an ongoing fix.

Dealing with the customer is the right move. It allows you to proactively prevent future occurrences, but it does require Ford to not suck at communication. Publish it clearly, warn them once, and then disable. It probably wouldn't be a bad idea for that first lock-out to automatically re-enable after a set amount of time to see if they learned their lesson.
Not only that but depending on how Ford's infra is setup you'd have to block a GIGANTIC Ip-Range if they are using something like server-less functions. Seems to be Azure if it's cloud base or some kind of on-prem Microsoft solution they have going on.
 

bp99

Well-Known Member
Joined
Jul 28, 2021
Threads
1
Messages
278
Reaction score
433
Location
Oregon
Vehicles
22 MME eAWD, 21 MME CA Route 1 (sold)
Country flag
This is idiotic. Ford can work and create a proper API accessing OUR car data. But they did it in a lame way and now they ban people from their apps without any warnings or explanations. Running a python script that checks battery status is not an "unauthorized use", it's complete BS. They can impose some API limits, sure, but banning accounts out of the blue and sending a cryptic phishing looking email (from IBM what?) is just such a dick move.

BTW, PAAK stops working as well, so literary locked out of the car.
There's a difference between creating an API for their own app and in creating a public API for third parties to use. Applications that have sniffed/debugged Ford Pass/Web page traffic to learn the API usage are not using an approved public API. Yes, a python script calling a private api is "unauthorized use".

Ford is well within their rights to shut down such apps, especially if they're causing excessive server load and/or creating 12V battery drain issues on cars. They should have been more proactive and sent advanced notice to all Ford Pass account owners that such a crackdown was imminent and to change passwords/stop using any third party app.
 


balthisar

Well-Known Member
First Name
Jim
Joined
Dec 10, 2020
Threads
0
Messages
171
Reaction score
273
Location
SE Michigan
Vehicles
2004 Expedition; 2021 Mach E Premium AWD Extended
Occupation
Engineer@FoMoCo
Country flag
There's a difference between creating an API for their own app and in creating a public API for third parties to use. Applications that have sniffed/debugged Ford Pass/Web page traffic to learn the API usage are not using an approved public API. Yes, a python script calling a private api is "unauthorized use".
The API used in Home Assistant's FordPass integration is the approved, public API though. Credentials aren't passed to some outside service; they're on my own machine from my own IP address. I don't have the FordPass terms of use link handy right now, but there's nothing in there that mentions we're doing anything wrong.
 

balthisar

Well-Known Member
First Name
Jim
Joined
Dec 10, 2020
Threads
0
Messages
171
Reaction score
273
Location
SE Michigan
Vehicles
2004 Expedition; 2021 Mach E Premium AWD Extended
Occupation
Engineer@FoMoCo
Country flag
Try calling FordPass: +1 (833) 385-0512

They submitted a ticket and escalation and it was resolved in a day for me...
I did that last night, but they told me it would be three to five days. But, what's your definition of "resolved"? I still want to use the public API and adhere to the FordPass terms of service just like I already was, without being locked out again.
 

AllenXS

Well-Known Member
First Name
Allen
Joined
Jan 11, 2021
Threads
13
Messages
1,189
Reaction score
1,571
Location
Richmond, BC, Canada
Vehicles
Premium Blue ER AWD
Country flag
Ford guides are on holiday and will be available from tomorrow morning.
In other words, we locked you out at the start of a longer holiday to maximize the pain.
 

ThatGuyLando

Well-Known Member
Joined
Jan 21, 2022
Threads
11
Messages
584
Reaction score
640
Location
Iowa
Vehicles
22 CR1
Occupation
Software Developer
Country flag
The API used in Home Assistant's FordPass integration is the approved, public API though. Credentials aren't passed to some outside service; they're on my own machine from my own IP address. I don't have the FordPass terms of use link handy right now, but there's nothing in there that mentions we're doing anything wrong.
I had a hunch this might be the case =/. They seem to be just blindly locking accounts because of traffic coming from outside FordPass, regardless of whether it's legit or not. If they are doing it because of server load they might want to start upgrading their back-end, going to "connected services" on your ford account through Ford's own website takes about 15+ seconds to load all the time.

It's part of the reason I doubt the new UI will improve responsiveness, I might end up selling the mach-e just out of frustration of dealing with the software in it. It's a shame because the car is super fun to drive and looks awesome, but when you put controlling the entire car through software only, you can't drop the ball on the software.
 
First Name
Liz
Joined
May 19, 2021
Threads
1
Messages
9
Reaction score
21
Location
New York
Vehicles
none yet!
Country flag
Hi All - this is Liz from Recurrent, one of the startups that seems to be (inadvertently) triggering these lockouts.

I'm echoing the email we sent to our Ford drivers to let you know that we're happy to help out any way we can if you've had issues due to our service. We take this very seriously - I can't imagine getting locked out of your car - and are trying to figure out a resolution.

Feel free to drop me a line here or at [email protected] with questions or thoughts.
 

ThatGuyLando

Well-Known Member
Joined
Jan 21, 2022
Threads
11
Messages
584
Reaction score
640
Location
Iowa
Vehicles
22 CR1
Occupation
Software Developer
Country flag
Hi All - this is Liz from Recurrent, one of the startups that seems to be (inadvertently) triggering these lockouts.

I'm echoing the email we sent to our Ford drivers to let you know that we're happy to help out any way we can if you've had issues due to our service. We take this very seriously - I can't imagine getting locked out of your car - and are trying to figure out a resolution.

Feel free to drop me a line here or at [email protected] with questions or thoughts.
Hey Liz can you confirm you guys are indeed using the ford connect api and properly using oauth as per Fords own documentation? @Ford Motor Company
 

MikeM67

Well-Known Member
First Name
Mike
Joined
Nov 15, 2021
Threads
10
Messages
94
Reaction score
51
Location
Colorado
Vehicles
2022 MachE AWD XR (Man 8/25/2022 Del 10/25/2022)
Occupation
Engineer
Country flag
Called the number in this tread and escalated the ticket. The call taker was able to get my account escalated to be resolved in within 24 hrs. I've never had any 3rd party apps connected but the initial call taker (when I opened the ticket) asked if I had a vpn on my phone which I though was interesting. I did have "google one" vpn installed and have since removed it just to be safe.
 

Ravensfan1996

Well-Known Member
First Name
Rick
Joined
Nov 16, 2020
Threads
8
Messages
380
Reaction score
253
Location
Maryland/Pennsylvania New Freedom, Pa
Vehicles
2021 Mustang Mach E
Country flag
Try calling FordPass: +1 (833) 385-0512

They submitted a ticket and escalation and it was resolved in a day for me...
I chatted online with them they said they would call in 3-5 days, saw you post and called and they said they cant do anything but someone will call me.
 

TRP

Well-Known Member
First Name
Tim
Joined
Jun 23, 2021
Threads
61
Messages
1,048
Reaction score
1,205
Location
37841
Vehicles
Mach E P4x, Ford F150
Country flag
Got a voicemail last night from Ford stating that my account was unlocked and good to go...................tried logging in today and a big fat NOPE. Still locked.

Not sure I'll even bother calling back to figure this out :rolleyes:
 
First Name
Liz
Joined
May 19, 2021
Threads
1
Messages
9
Reaction score
21
Location
New York
Vehicles
none yet!
Country flag
Hey Liz can you confirm you guys are indeed using the ford connect api and properly using oauth as per Fords own documentation? @Ford Motor Company
I shared your question with Smartcar and this comes direct from them:

We absolutely want to be using the Ford Connect API and OAuth. That’s been our goal from the start, and the only reason we haven’t done so yet is because Ford didn’t provide either of those until recently. But, if you look into the documentation (by creating a Ford Developer account), you’ll see it’s not totally complete or usable just yet. As soon as the native API and OAuth are ready to be implemented, we will switch over to them.
Sponsored

 
 




Top