PSA: Unauthorized API use can disable your FordPass account

[ThatGuyLando]

I shared your question with Smartcar and this comes direct from them:

We absolutely want to be using the Ford Connect API and OAuth. That’s been our goal from the start, and the only reason we haven’t done so yet is because Ford didn’t provide either of those until recently. But, if you look into the documentation (by creating a Ford Developer account), you’ll see it’s not totally complete or usable just yet. As soon as the native API and OAuth are ready to be implemented, we will switch over to them.

Looks like they have it working now, the only thing I couldn't figure out is how to easily request an api clientId + secret. Looks like you need to get in contact with them (good luck with that).

Sponsored

 

[LinkRS]

Howdy All, I do not yet have a Mach-E yet (estimated time of delivery is Dec 15 - 21), and just finished reading this entire thread, all 17 pages of it. I wanted to elaborate on the logic behind the account blocking. Granted, this is just an educated guess based information gleaned from this thread, and the Ford developer portal, but the problem isn't that they are hostile towards 3rd party apps, it is *HOW* these apps are accessing the vehicle information. In order to make sure that nothing nefarious is happening, Ford is blocking any and all activity they detect that looks suspicious. The problem is many of us are just victims in this, as we are not doing anything suspicious, but apps that we have no reason to mistrust are. Technically it is the app that should be banned, but the only way to do that, is to ban the account that is being used to access. It seems that these suspect apps are doing something perceived as sneaky, like impersonating you or pretending to be another app to gain access (also knows as spoofing). The response provided by @liz_at_recurrent from the SmartCar team seems to prove this idea, that SmartCar is NOT using the public API as expected, as the public API does not yet do what they (SmartCar) need/expect it to do, so they found another way. Ford has the duty to all of its customers to protect their service, so this banning behavior is supposed to be protecting all of us. If you get banned (or are banned), you should reach out to the vendor of whatever app (or apps) you are using and poke them to do things the "right way." The response SmartCar gave, makes me very wary about using anything that uses it. They seem to feel justified by their actions, but the people who are suffering from this, are their users. :-(

 

[mkhuffman]

What is smartcar?

https://smartcar.com/

 

[Mach-Lee]

Hey Liz can you confirm you guys are indeed using the ford connect api and properly using oauth as per Fords own documentation? @Ford Motor Company

The answer is no, see her reply. Smartcar is doing their own bad things until Ford releases the API, and that's why Recurrent users will continue to have their accounts locked. It will not be safe to use a Smartcar-powered app until the Ford OAuth API is officially released and the apps do everything 100% correctly. They need to just STOP until it's ready.

 

[benk016]

I shared your question with Smartcar and this comes direct from them:

We absolutely want to be using the Ford Connect API and OAuth. That’s been our goal from the start, and the only reason we haven’t done so yet is because Ford didn’t provide either of those until recently. But, if you look into the documentation (by creating a Ford Developer account), you’ll see it’s not totally complete or usable just yet. As soon as the native API and OAuth are ready to be implemented, we will switch over to them.

Liz you do realize that they just admitted to you that they are not using an official connection to Ford for this data correct?

 

[GoGoGadgetMachE]

I shared your question with Smartcar and this comes direct from them:

We absolutely want to be using the Ford Connect API and OAuth. That’s been our goal from the start, and the only reason we haven’t done so yet is because Ford didn’t provide either of those until recently. But, if you look into the documentation (by creating a Ford Developer account), you’ll see it’s not totally complete or usable just yet. As soon as the native API and OAuth are ready to be implemented, we will switch over to them.

Thank you for coming on here Liz. This is a somewhat hostile audience in this situation, I think, and I appreciate that you made the effort even with that being the case.

Now, that said, there's definitely an issue on the Recurrent side as well, and redirecting it completely to Smartcar isn't completely accurate in my view. After deleting all vehicles from Recurrent, it looks like Smartcar still holds on to the information and tries to access FordPass, which is broken - removing any applicable information from Recurrent should remove the Smartcar side as well. As it stands right now there is no clear way for someone to go to Smartcar and say "remove this," because we aren't the customers of Smartcar, you are at Recurrent.

 

[ChasingCoral]

Here's a form email I received from Recurrent after turning off their service on my two vehicles:

Hello, We noticed that we have not received any recent data from your Ford vehicle. This may be due to a vehicle sale, a FordPass password change, a disconnect request on your part, or something else. We have become aware of an issue with Ford servers locking 3rd party app users out of their FordPass accounts and we wanted to check to see if this affected you at any point. This issue may occur after some period of time using Recurrent (via Smartcar connection) or other third party vehicle monitoring services. If you encountered any issues your FordPass account or received any communications from Ford about it, we’d love to hear from you (reply to this email or contact us at [email protected]) so we can better understand the impact on Ford drivers. Thanks in advance, Andrew Leonard

Andrew Leonard Customer Success Manager​

 

[ThatGuyLando]

But as a developer, with a developer account it states that we can access the API. They don't limit it in that manner. It's not an issue of accessing the API, it's how you access it. They actually encourage people to develop out applications for smart home automations in the developer portal. So, contrary to what you wrote, they want more people to hit the APIs, just in the "correct" way that they don't seem to document very well.

The issue is squarely on the user agent and auth tokens, which I personally, can't find reference to them having an issue with in the API documentation. So that's why I putting the warning out there.

The security team reached out to me and specifically said "calling the APIs through Postman is not an approved channel".

Which if postman has the right Auth token is pretty ridiculous.

 

[liz_at_recurrent]

Here's a form email I received from Recurrent after turning off their service on my two vehicles:

Hello, We noticed that we have not received any recent data from your Ford vehicle. This may be due to a vehicle sale, a FordPass password change, a disconnect request on your part, or something else. We have become aware of an issue with Ford servers locking 3rd party app users out of their FordPass accounts and we wanted to check to see if this affected you at any point. This issue may occur after some period of time using Recurrent (via Smartcar connection) or other third party vehicle monitoring services. If you encountered any issues your FordPass account or received any communications from Ford about it, we’d love to hear from you (reply to this email or contact us at [email protected]) so we can better understand the impact on Ford drivers. Thanks in advance, Andrew Leonard

Andrew Leonard Customer Success Manager​

Yup - we are trying to understand how many Ford drivers have been affected by this.

@GoGoGadgetMachE In terms of Smartcar, I am happy to put anyone in touch with them if there are concerns about lingering connectivity. The best way to do that is to email me at [email protected] so I can copy them. They have many clients aside from us so there is no way for us to access or touch their data.

 

[GoGoGadgetMachE]

Yup - we are trying to understand how many Ford drivers have been affected by this.

@GoGoGadgetMachE In terms of Smartcar, I am happy to put anyone in touch with them if there are concerns about lingering connectivity. The best way to do that is to email me at [email protected] so I can copy them. They have many clients aside from us so there is no way for us to access or touch their data.

EDIT: my answer here is "yes", see my followup.

EDIT 2: I've been in touch with Smartcar - they've been very friendly and direct - and at the moment, nobody's sure exactly what is going on. By that I mean, Recurrent is sending the right API, and Smartcar has said that my VIN is not anywhere in their system now. I'm now in a holding pattern with respect to Ford.

----------------------------------------------------------

From a quick look at the API docs, it looks like the question I'm asking translates to "are you calling https://smartcar.com/docs/api#delete-disconnect properly when you have a car removed from your service?"

if the answer is "no", well, that's my complaint in a nutshell.

if the answer is "yes", then it's on Smartcar at that point.

 

[GoGoGadgetMachE]

From a quick look at the API docs, it looks like the question I'm asking translates to "are you calling https://smartcar.com/docs/api#delete-disconnect properly when you have a car removed from your service?"

if the answer is "no", well, that's my complaint in a nutshell.

if the answer is "yes", then it's on Smartcar at that point.

To follow up on my own post, I've been in discussion with Recurrent and they have very quickly confirmed that they are in fact calling the proper Smartcar API, so that means the issue is on the Smartcar side.

Since others have been using other Smartcar-consuming apps, this goes back to being broader than Recurrent in any event, but I at least wanted to address my own statement here in the interest of fairness.

 

[737flyer]

Just got locked out of FordPass for using Duke Energy’s EV charging off peak hours. Just found out that Duke Energy had approval from Ford to use the FordPass. The right hand doesn’t know what the left hand is doing.

 

[Mach-Lee]

Just got locked out of FordPass for using Duke Energy’s EV charging off peak hours. Just found out that Duke Energy had approval from Ford to use the FordPass. The right hand doesn’t know what the left hand is doing.

That is not correct. Ford did not approve the SmartCharge Rewards app access whatsoever. That sounds like a lie that is being perpetuated by Smartcar to their app partners, and passed on to you.

I repeat, Smartcar (nor any apps that use them) never had approval or an agreement with Ford to use FordPass to access vehicle information.

You will notice SmartCharge Rewards has cut ties with Smartcar due to the unauthorized use of user data. It now requires an OBDII dongle.

 

[737flyer]

Well I talked to a customer support manager at Duke energy. That’s what they told me.

 

[Mach-Lee]

Well I talked to a customer support manager at Duke energy. That’s what they told me.

Because they were lied to by Smartcar. They tell partners their spoofed FordPass login page is evidence they work with Ford via OAuth, but it's fake. When you entered your Ford password during the initial setup, that was a fake website hosted by Smartcar designed to look like the real Ford website, Ford logo and everything:

Sponsored