PeeKay

Well-Known Member
First Name
Pravin
Joined
Apr 2, 2021
Threads
10
Messages
152
Reaction score
123
Location
Sunnyvale, CA
Vehicles
2021 Job 1 MachE
Occupation
Retired
Country flag
On Nov 11, 2021 I noticed that I could no longer login to any of the ford.com websites. My FordPass app still continued to function, but could not install/login on any additional phones.

After three months of trying various avenues for resolution, I was able to get my login re-enabled.
I was advised that the Cyber Security team at Ford had flagged my account, due to anomalous API use.

I had installed/used the Home assistant integration for FordPass. I had never entered an incorrect password at any time, so unclear on why the account was flagged.

This also has implications on using the IOS and Android widgets, which may periodically poll the website for updating info.

Pravin
Sponsored

 

sockmeister

Well-Known Member
Joined
Sep 24, 2020
Threads
6
Messages
1,879
Reaction score
2,992
Location
Pennsylvania
Vehicles
2021 Mustang Mach-E4x
Occupation
SW Engineer
Country flag
On Nov 11, 2021 I noticed that I could no longer login to any of the ford.com websites. My FordPass app still continued to function, but could not install/login on any additional phones.
After three months of trying various avenues for resolution, I was able to get my login re-enabled.
I was advised that the Cyber Security team at Ford had flagged my account, due to anomalous API use.
I had installed/used the Home assistant integration for FordPass. I had never entered an incorrect password at any time, so unclear on why the account was flagged.
This also has implications on using the IOS and Android widgets, which may periodically poll the website for updating info.

Pravin

Well, this puts a damper on our apps, although plenty of us have been using them without issue.
Can you tell me -- what was the user agent the Home Assistant integration was using with FordPass? Maybe that's how theydetected it?
 
OP
OP

PeeKay

Well-Known Member
First Name
Pravin
Joined
Apr 2, 2021
Threads
10
Messages
152
Reaction score
123
Location
Sunnyvale, CA
Vehicles
2021 Job 1 MachE
Occupation
Retired
Country flag
Well, this puts a damper on our apps, although plenty of us have been using them without issue.
Can you tell me -- what was the user agent the Home Assistant integration was using with FordPass? Maybe that's how theydetected it?
Im not very familiar with how that is done in HomeAssistant.

The code for the integration is here: https://github.com/itchannel/fordpass-ha

But, I suspect that the HA code itself decides what user agent is specified by its http client (that is just my guess).

I stopped using the integration after that incident.
 

sockmeister

Well-Known Member
Joined
Sep 24, 2020
Threads
6
Messages
1,879
Reaction score
2,992
Location
Pennsylvania
Vehicles
2021 Mustang Mach-E4x
Occupation
SW Engineer
Country flag
For anyone encountering this, I ran into the same issue while building an app. The error is a nondescript "CSIAH0320E", which seems to indicate that the account was manually disabled due to suspected malicious activity. It's annoying that they don't even bother to inform you what's going on, they just lock it.

The Fordpass team working on my open case (for 3 weeks) has been apparently stumped. I'm going to ask them to get me in contact with the IT Security Team, whoever that is...

Ford Mustang Mach-E PSA: Unauthorized API use can disable your FordPass account 1647577921651
 


sockmeister

Well-Known Member
Joined
Sep 24, 2020
Threads
6
Messages
1,879
Reaction score
2,992
Location
Pennsylvania
Vehicles
2021 Mustang Mach-E4x
Occupation
SW Engineer
Country flag
Im not very familiar with how that is done in HomeAssistant.

The code for the integration is here: https://github.com/itchannel/fordpass-ha

But, I suspect that the HA code itself decides what user agent is specified by its http client (that is just my guess).

I stopped using the integration after that incident.
Looks like HomeAssistant is using the same FordPass user-agent everyone else is using. I suspect that's what's triggered it, since I was using a different one before.

Python:
defaultHeaders = {
    "Accept": "*/*",
    "Accept-Language": "en-us",
    "User-Agent": "FordPass/5 CFNetwork/1197 Darwin/20.0.0",
    "Accept-Encoding": "gzip, deflate, br",
}
 
OP
OP

PeeKay

Well-Known Member
First Name
Pravin
Joined
Apr 2, 2021
Threads
10
Messages
152
Reaction score
123
Location
Sunnyvale, CA
Vehicles
2021 Job 1 MachE
Occupation
Retired
Country flag
Really doubtful it was HA. There's likely thousands of people using that integration because it's used for both EV and ICE vehicles.
Yes, I know that this integration has been used for other vehicles as well. But other than that integration, there is no other place other than FordPass and my browser that Ive used the login/password.

So, the only suspect in my case was the HA integration. In my email contact with Ford, the agent specifically mentioned that "Unauthorized API usage" had flagged my account. So, perhaps some corner case in the polling logic triggered some other error case.

Why this hasnt happened with the numerous others using that same integration, I have no idea.
:-(
 

DevSecOps

Well-Known Member
First Name
Todd
Joined
Sep 22, 2021
Threads
69
Messages
4,740
Reaction score
11,499
Location
Sacramento, CA
Vehicles
'21 Audi SQ5 / '23 Rivian R1T / '23 M3P
Occupation
CISO
Country flag
Why this hasnt happened with the numerous others using that same integration, I have no idea.
I use it extensively and have even polled every 5 minutes for weeks on end.

The only thing I can think of is that you failed to update the integration and it had some old code that caused it.

Searching the open issues on GitHub I can't find anything that would indicate a ban either.
 
Last edited:

sockmeister

Well-Known Member
Joined
Sep 24, 2020
Threads
6
Messages
1,879
Reaction score
2,992
Location
Pennsylvania
Vehicles
2021 Mustang Mach-E4x
Occupation
SW Engineer
Country flag
Well, we only have these 2 datapoints, that I know of. I guess time will be the test here.
I'm sure my account is flagged for the same reason: "unauthorized API access".

Because my first account took a month or more to get flagged, and I was doing all sorts of login and bad token sends.
The second account took less than a day. They have their eye on it. I am really suspecting the user agent.

Might be worth trying with a throwaway account and a made-up user agent, and seeing if the account gets locked.
 

Gullwingdmc

Well-Known Member
First Name
Chip
Joined
May 15, 2021
Threads
77
Messages
2,739
Reaction score
3,746
Location
Boston, MA
Vehicles
2022 Mustang Mach E GT AWD ER - Grabber Blue
Country flag
This has always been my concern with using non official apps, that and giving away my username and password in plain text.

The only one I use with any regularity is the Siri Shortcuts, and that’s because it doesn’t constantly poll the API, only when I ask it to do something.
 

DevSecOps

Well-Known Member
First Name
Todd
Joined
Sep 22, 2021
Threads
69
Messages
4,740
Reaction score
11,499
Location
Sacramento, CA
Vehicles
'21 Audi SQ5 / '23 Rivian R1T / '23 M3P
Occupation
CISO
Country flag
Looks like HomeAssistant is using the same FordPass user-agent everyone else is using. I suspect that's what's triggered it, since I was using a different one before.

Python:
defaultHeaders = {
    "Accept": "*/*",
    "Accept-Language": "en-us",
    "User-Agent": "FordPass/5 CFNetwork/1197 Darwin/20.0.0",
    "Accept-Encoding": "gzip, deflate, br",
}
I know this is an older thread and I debated making a new thread on this but figured that most people won't be attempting to query the Ford Endpoints.

I have confirmed that Ford looks at the user agent string and will lock your account if you call the API with an unapproved user agent. Postman, for example, is an instant block on your account.

Individuals who query the endpoint with an unauthorized user agent string while using the Ford.com authentication tokens will be subsequently presented with a CSIAH0320E error when trying to login. Ford customer service doesn't see the account being suspended because they need the account to remain active for things such as Ford Motor Credit.

The only way to get unblocked is to contact the customer support team and ask them to file a ticket with the IT Security Team. They will likely ask you your "intentions" and then decide if they should unlock your account.

It doesn't look like HA plugins or mobile widgets will cause this because they are obtaining a different auth token specifically for their application and using the correct user agent.

My take - This is dumb. It's your data and Ford is upset that you're accessing your own vehicles data. I don't know the extent of how they apply the bans but it would be interesting to test with someone else's VIN to see if it causes their account to be locked. I'm not gonna be the guy that tries that though.
 
Last edited:

Logal727

Well-Known Member
First Name
C
Joined
Aug 23, 2021
Threads
101
Messages
7,326
Reaction score
11,270
Location
Florida
Vehicles
‘21 Carbonized Gray Mustang Mach-E Premium AWD Ext
Country flag
It doesn't look like HA plugins or mobile widgets will cause this because they are obtaining a different auth token specifically for their application and using the correct user agent.
Seems like there's no guarantee it wouldn't happen in the future though.
 

DevSecOps

Well-Known Member
First Name
Todd
Joined
Sep 22, 2021
Threads
69
Messages
4,740
Reaction score
11,499
Location
Sacramento, CA
Vehicles
'21 Audi SQ5 / '23 Rivian R1T / '23 M3P
Occupation
CISO
Country flag
Seems like there's no guarantee it wouldn't happen in the future though.
There's likely hundreds if not thousands of people using those integrations. I think they would have a mess on their hands if they did that. But true, there's no guarantee of anything, kinda like our HVBJB's :)

I should add that Ford specifically states that the API can be used with smart home products. It's part of the developer access information.

I think it's a poor choice of data security in general to block someone for something so trivial. If it was a bad actor they would just use the right user agent and get right through. Also the block isn't instant, it takes a day or 2. The damage could have been done.

Ford Mustang Mach-E PSA: Unauthorized API use can disable your FordPass account 1658781136122
 
Last edited:

i8iridium

Well-Known Member
First Name
Pat
Joined
Aug 5, 2021
Threads
12
Messages
478
Reaction score
733
Location
Fort Washington, MD
Vehicles
2022 Mustang Mach E GT
Occupation
U.S. Air Force
Country flag
I know this is an older thread and I debated making a new thread on this but figured that most people won't be attempting to query the Ford Endpoints.

I have confirmed that Ford looks at the user agent string and will lock your account if you call the API with an unapproved user agent. Postman, for example, is an instant block on your account.

Individuals who query the endpoint with an unauthorized user agent string while using the Ford.com authentication tokens will be subsequently presented with a CSIAH0320E error when trying to login. Ford customer service doesn't see the account being suspended because they need the account to remain active for things such as Ford Motor Credit.

The only way to get unblocked is to contact the customer support team and ask them to file a ticket with the IT Security Team. They will likely ask you your "intentions" and then decide if they should unlock your account.

It doesn't look like HA plugins or mobile widgets will cause this because they are obtaining a different auth token specifically for their application and using the correct user agent.

My take - This is dumb. It's your data and Ford is upset that you're accessing your own vehicles data. I don't know the extent of how they apply the bans but it would be interesting to test with someone else's VIN to see if it causes their account to be locked. I'm not gonna be the guy that tries that though.
I woudn't go as far to say it's "dumb". Ford is using cloud hosted services like many cooperation are these days. They likely pay based on a certain volume, and they've calculated that over the amount of users with their vetted apps (Ford Pass). Figuring out the API and using it for other things presents an unknown to them, with the potential of increased cost and unknown impacts to the vehicles that are being polled. The easy button for Ford is to lock the account.

Now, don't get me wrong, I don't necessarly like their action, but I can understand why.
 

DevSecOps

Well-Known Member
First Name
Todd
Joined
Sep 22, 2021
Threads
69
Messages
4,740
Reaction score
11,499
Location
Sacramento, CA
Vehicles
'21 Audi SQ5 / '23 Rivian R1T / '23 M3P
Occupation
CISO
Country flag
I woudn't go as far to say it's "dumb". Ford is using cloud hosted services like many cooperation are these days. They likely pay based on a certain volume, and they've calculated that over the amount of users with their vetted apps (Ford Pass). Figuring out the API and using it for other things presents an unknown to them, with the potential of increased cost and unknown impacts to the vehicles that are being polled. The easy button for Ford is to lock the account.

Now, don't get me wrong, I don't necessarly like their action, but I can understand why.
But as a developer, with a developer account it states that we can access the API. They don't limit it in that manner. It's not an issue of accessing the API, it's how you access it. They actually encourage people to develop out applications for smart home automations in the developer portal. So, contrary to what you wrote, they want more people to hit the APIs, just in the "correct" way that they don't seem to document very well.

The issue is squarely on the user agent and auth tokens, which I personally, can't find reference to them having an issue with in the API documentation. So that's why I putting the warning out there.

The security team reached out to me and specifically said "calling the APIs through Postman is not an approved channel".
Sponsored

 
Last edited:
 




Top