Valet Mode: Weakness Exposed

[kennethjk]

Summary

I left my car with the airport parking valet and a valet code. After three unsuccessful attempts with the code, my car is now stuck in the entry of the parking and I’m in a different state.

The Whole Story

I’ve just swerved into a problem that @FordMotorCompany apparently did not foresee.

I dropped my new Mach-E off at an airport park-and-ride service this morning and created a valet passcode as I have done on three other occasions.

While I was at my gate I got a notification through the FordPass app that the valet code had been attempted unsuccessfully. By the time I was able to contact the park and ride service they had already unsuccessfully attempted the valet code three times.

This disables valet mode until you return with your phone or a key fob. Before boarding my flight, I unlocked and started the car remotely with the FordPass app. They were still unable to move the car.

I contacted FordPass and explained the situation when my plane landed. They were sympathetic, but genuinely flummoxed. After they consulted for a while they came back and conceded there was nothing that could be done other than give the valet my backup Phone as a Key passcode which they recommended I don’t do.

The Solution

I told FordPass we need to be able to have the ability to manage valet mode within the app. I don’t know if the valet miss-typed the code three times or it failed for some reason. The first part of the code was able to open the door, so that part of it worked. But there has to be an override for a failed code or human error whichever it may be.

Until that happens, I’ll have to either give the valet a key fob or create the code, turn off the car, disable Bluetooth on my phone and start the car myself with the code before getting on the airport shuttle.

After I received a couple of updates in the last two days my backup passcode was not working. I only know that since my PAAK did not work right after the update. If I did not have my key with me , I would have been out of luck. I carry it in a faraday bag as I try out PAAK.

Sponsored

 

[daverp]

An alternative would be to allow a remote valet code to be created but limited. IE: Car can only go up to 15 MPH and only a distance of 1 mile.

Probably many legality / liability issue there. A car capable of only 15mph wouldn't be street legal and Valet lots are not always close. This would likely introduce as many problems as it solves if not more. Case of this example, Chicago O'Hare depending on which valet lot you are in they radio / call the guy who drives your car over, you could easily be more than a mile away if they had to store your car in the remote lot. As I recall I think LAX was similar where the Valet is remote.

 

[daverp]

Can't speak to for the communication between Ford and the Car but the App to Ford uses TLS 1.2, that part is easy enough to capture form a your router With modern dev tools it's not any harder to code to uses standards like TLS so I would be very surprised if the traffic between Ford and the Car is not encrypted also. Direct attacks like that are not the most common vector to breach a system in most cases, the human is the weakest link, typically it's far easier to compromise an account than it is to try and crack the system.

As the example giver up above, voice activated door locks can be easy defeated, if you disable the security settings to prevent it. These types of things are the fine balance of usability (keeping the user happy) and preventing the user from doing something stupid (liability).

 

[ShaggySS]

Home "security" is a bit of a gaping hole in the industry. For example, if you have voice match disabled and you don't have a lock code set, you can yell through a closed door "Alexa, open the front door" and it will unlock. There's a lot of issues with home security in general.

Don't open that can of worms......Your home also doesn't have wheels so while someone may be able to get into it they "TYPICALLY" can't drive away with it so having higher security on something that can be physically stolen is better IMO.

Though if you keep your keys in your house and someone breaks a window and yells at alexa to unlock the front door.....?

 

[ShaggySS]

Probably many legality / liability issue there. A car capable of only 15mph wouldn't be street legal and Valet lots are not always close. This would likely introduce as many problems as it solves if not more. Case of this example, Chicago O'Hare depending on which valet lot you are in they radio / call the guy who drives your car over, you could easily be more than a mile away if they had to store your car in the remote lot. As I recall I think LAX was similar where the Valet is remote.

Good points, but at least they could move it out of the way in this case. Ultimately I think it's easier to just leave a fob. Tried and true process for valet.

 

[daverp]

Good points, but at least they could move it out of the way in this case. Ultimately I think it's easier to just leave a fob. Tried and true process for valet.

Good ideas, but then good ideas meet stupid people and that's were it gets complicated. From a quick google search it looks like in Texas a car must be able to go 35mph to be street legal or 20 but not capable of more than 25mph to be "low speed vehicle" which is limited to travel only on certain roads.

So could Ford even sell (via a dealer) a car in the sate of Texas with a feature that would make it illegal to operate? I think a lot of these good ideas run into legality problems when you have account for stupid people and specific use cases.

 

[FrunkMonk-e]

Ultimately I think it's easier to just leave a fob. Tried and true process for valet.

This is certainly true as the situation stands now - especially if you’re going to go get on a plane.

But for me, it defeats the purpose of Phone as a Key feature. I fly so much that I’ll pretty much be required to keep a fob with me all of the time.

 

[FrunkMonk-e]

After I received a couple of updates in the last two days my backup passcode was not working. I only know that since my PAAK did not work right after the update. If I did not have my key with me , I would have been out of luck. I carry it in a faraday bag as I try out PAAK.

Oh wow! Don’t they beta test these before rolling the out?

 

[mkhuffman]

This is certainly true as the situation stands now - especially if you’re going to go get on a plane.

But for me, it defeats the purpose of Phone as a Key feature. I fly so much that I’ll pretty much be required to keep a fob with me all of the time.

You could put the key in the bag you always take on the plane. So you only need to take it out when leaving your car at the airport. And you can still use PaaK.

I always take my fob with me when going out of town, even when just driving. What if I get a flat tire and need to tow the car to a tire shop? Am I going to give the tow truck driver my phone? Or tire monkey? Nope. I pull out the fob and hand it to them. It is in my laptop bag, wrapped in foil.

I always use PaaK. And I always take my laptop with me when I go out of town. So I am ready for my HVBJB to fail. Which it won't, right?

 

[ShaggySS]

This is certainly true as the situation stands now - especially if you’re going to go get on a plane.

But for me, it defeats the purpose of Phone as a Key feature. I fly so much that I’ll pretty much be required to keep a fob with me all of the time.

I couldn't agree more which is why I keep a fob "hidden" in the car. As a proof of concept, I wrapped it in aluminum foil but after a bit, I realized I could spring for something a little nicer for my expensive car. So I went with this. https://www.amazon.com/gp/product/B092PQQ5J5/ref=ppx_yo_dt_b_search_asin_title?ie=UTF8&psc=1

When I need to give the key out I remove it from my secret hiding spot and hand it over. Not optimal but allows me to enjoy the freedom with PAAK but still have the piece of mind should something not work as designed or hand it over to a valet or service tech.

 

[Mach-Lee]

Oh wow! Don’t they beta test these before rolling the out?

You must be new here. ? A while ago they published a new FordPass app version, and it broke PAAK for everyone that updated. Some people were stranded if they didn't have a fob with them, I think it was on a holiday weekend too, so lots of folks away from home. So you might be putting too much trust in Ford's testing skills here.

You never know what's going to break in the next update from Ford. It's usually two steps forward one step backwards.

 

[Gloff]

It didn't allow code entry again after 5 min?
From the owner's manual

System Lockout
The system locks after five attempts of
trying to enter a Backup Start Passcode,
resetting a current passcode or entering
an incorrect Valet Mode passcode.
Note: The system remains locked for five
minutes. After five minutes the system
allows codes to be entered again.

 

[kennethjk]

You could put the key in the bag you always take on the plane. So you only need to take it out when leaving your car at the airport. And you can still use PaaK.

I always take my fob with me when going out of town, even when just driving. What if I get a flat tire and need to tow the car to a tire shop? Am I going to give the tow truck driver my phone? Or tire monkey? Nope. I pull out the fob and hand it to them. It is in my laptop bag, wrapped in foil.

I always use PaaK. And I always take my laptop with me when I go out of town. So I am ready for my HVBJB to fail. Which it won't, right?

If the key always should be taken with the driver why even bother with PAAK

I am trying it now but after my backup code didn’t work , no way would I ever leave without the FOB.

 

[DevSecOps]

As a proof of concept, I wrapped it in aluminum foil but after a bit, I realized I could spring for something a little nicer for my expensive car.

I still don't understand why people just don't pop the battery out and put the two in the same bag together. Takes just a few seconds and then you don't have to worry that the signal will ever "leak" from a faraday bag or tin foil.

Sponsored