Valet Mode: Weakness Exposed

ZuleMME · Sep 8, 2022

Yes, valet mode works with the fob to lock out settings and limit the car until you enter your code to release the mode. At least that's what the manual says.

Kamuelaflyer · Sep 8, 2022

ZuleMME said:
Yes, valet mode works with the fob to lock out settings and limit the car until you enter your code to release the mode. At least that's what the manual says.

A while back @Benjamin Kegele did a video on how both “methods” of the valet mode work. The one time I needed to use valet mode I used they key. Turns out they just left the car up front as it was clean, shiny and very new at the time.

Tampamike · Sep 8, 2022

I had an interesting and easy interaction with a valet one night. I didn’t have a Fob with me as I don’t drive with it. Ended up at a valet parking restaurant unexpectedly. I tried to initiate the valet park mode while explaining to the valet how it works. Before we get to the activation, he just says “just park it right over there,” which was a prime spot right in front.

Jimrpa · Sep 8, 2022

DevSecOps said:
Biometric is only locally on the mobile device (kinda like saving a password), it wouldn't do anything for the API. If hackers or bad actors got credentials they would script something to use the API. They wouldn't mess with FordPass.

Again, I would encourage more security, but we have a hard time getting release notes from Ford. I had a previous vehicle that would allow me to roll down/up the windows from afar. Ford see's that as a danger. Smaller companies have less vehicles and less complexity to navigate through to do things. Remember, FordPass isn't just for the MachE, it's for all their vehicles including ICE.

I'm not trying to argue with you, I'm just trying to explain how it is. I think your post is educational for a lot of members here about a very unused function. I'll see my way off this thread. I was asked for my opinion so I gave it, but you and any other members are free to push as hard as you want for heightened security to support remote valet codes. I'm all for the fight for heightened security!

Also, a side note: We had a member get banned about a month ago for an avatar with a gun. While I personally have zero issue with guns (or funny avatars), this is an EV forum and there's a lot of easily triggered people (and administrators) here. Tread carefully.

I really appreciate the insight and detailed explanations myself. I was wondering about a number of different potential solutions (myself NOT being a “security guy” but having worked in a number of places where security is important, so respecting the input of those who understand it).
At the end of the day, my thought is that the only “practical” valet mode that is available now is to have a fob available if you think you may be in a situation where an “unknown person” will need to operate your car.

FrunkMonk-e · Sep 8, 2022

DevSecOps said:
Biometric is only locally on the mobile device (kinda like saving a password), it wouldn't do anything for the API. If hackers or bad actors got credentials they would script something to use the API. They wouldn't mess with FordPass.

Again, I would encourage more security, but we have a hard time getting release notes from Ford. I had a previous vehicle that would allow me to roll down/up the windows from afar. Ford see's that as a danger. Smaller companies have less vehicles and less complexity to navigate through to do things. Remember, FordPass isn't just for the MachE, it's for all their vehicles including ICE.

I'm not trying to argue with you, I'm just trying to explain how it is. I think your post is educational for a lot of members here about a very unused function. I'll see my way off this thread. I was asked for my opinion so I gave it, but you and any other members are free to push as hard as you want for heightened security to support remote valet codes. I'm all for the fight for heightened security!

Also, a side note: We had a member get banned about a month ago for an avatar with a gun. While I personally have zero issue with guns (or funny avatars), this is an EV forum and there's a lot of easily triggered people (and administrators) here. Tread carefully.

I know you’re not trying to argue. And I hope you don’t interpret my replies as anything more than a friendly discussion.

I can appreciate that security might be a concern for Ford. However, I can remotely disable my home security system with my phone. I can remotely unlock my doors. It seems like ADT and smart lock companies have managed to figure out the security concerns,

Also, I get emails from some entities when I log in from a different device. Perhaps Ford requires some sort of additional authentication from that email when a different device is used before any functionality is enabled.

iFeckless · Sep 8, 2022

JohnFoxeSheets said:
Dang, that sucks.

When I was newly married I lived in NYC and had a reverse commute to the middle of New Jersey. There was no practical way to use public transit, so I bought the cheapest new car I could - a POS Sentra. It was delivered with only one key (the dealership couldn't find the second key).

Rather than park on the street, I got a monthly pass and parked the car at a tiny garage near where we lived. It was valet parking only since the cars were crammed in. One evening I dropped off my car in the single lane driveway tunnel down into the basement garage, shut the door, and said over my shoulder, "The key's in the car." and started to walk away. A valet says, "Where's the key?" "I just told you, in the car." I replied.

"The car's locked."

I asked if they had a slim jim. They said they didn't and would need to break a window. I told them NFW and we needed to figure out something else. They said go to my apartment and get the spare, but yeah, I had no spare. So I looked and there was just enough room to the side of the car to fit it up against the wall and leave enough space for other cars to pass. But of course this meant moving a locked car sideways. I told them my plan, and they asked me, "Who're we gonna do that?" I said, "we'll lift the car." There were a bunch of us, including one guy that was like 6'5" and maybe 260 pounds of muscle. Moving the back of the car was trivial, but moving the front was a bit more work because engine, and it was facing downhill. Anyway, we got it done in a couple minutes and I told them I'd get the spare key at the dealership and return asap.

That evening my wife and I head out to Brooklyn on the subway go to the dealership and get the spare key they had miraculously found when I called to bitch at them. We got the key but it was too late to get back to the garage before they closed. So the next morning I head over the the garage first thing in the morning to give them the key and get my car. The car was sitting there, unlocked.

They had a slim jim.

Great story. I'm still chuckling!

daverp · Sep 8, 2022

I blame the airport valet for accepting your car without a key fob.

I can pretty much assure you Ford is not going to add a steal my car feature to Ford Pass. Allowing remote override of an anti-theft feature is asking for trouble. Many of the security features done under using your Phone as Key is via local NFC commutations and and not remotely via the cellular modem.

ShaggySS · Sep 8, 2022

I would have to agree the security of being able to remotely issue a key with just a username and password seems like a risk. I think Mach-Lee is on the right path by only allowing that from a phone that is currently registered as a PAAK.

An alternative would be to allow a remote valet code to be created but limited. IE: Car can only go up to 15 MPH and only a distance of 1 mile.

DevSecOps · Sep 8, 2022

daverp said:
I blame the airport valet for accepting your car without a key fob.

I can pretty much assure you Ford is not going to add a steal my car feature to Ford Pass. Allowing remote override of an anti-theft feature is asking for trouble. Many of the security features done under using your Phone as Key is via local NFC commutations and and not remotely via the cellular modem.

To clarify, PaaK is not using NFC at all. NFC has a very small range. PaaK uses Bluetooth.

FrunkMonk-e said:
I can appreciate that security might be a concern for Ford. However, I can remotely disable my home security system with my phone. I can remotely unlock my doors. It seems like ADT and smart lock companies have managed to figure out the security concerns,

Home "security" is a bit of a gaping hole in the industry. For example, if you have voice match disabled and you don't have a lock code set, you can yell through a closed door "Alexa, open the front door" and it will unlock. There's a lot of issues with home security in general.

Again, I would agree that if there's a will, there's a way, securely and safely. I just don't think it will happen, especially given the current architecture. There's things that Ford does that I don't understand completely. I wish I could roll up my windows out of BT range, like my last EV could, but Ford won't let me. I assume that this is to ensure no fingers or appendages are in the way since it would be assumed that you're in visual range when connected via BT.

If you've ever owned an Audi, or dear lord, the whole "key user" system they implement is a nightmare x2. It actually requires the dealer to verify your ID in order to have remote functionality, and the only thing they give you on ICE cars is lock and unlock.

FrunkMonk-e · Sep 8, 2022

ShaggySS said:
I would have to agree the security of being able to remotely issue a key with just a username and password seems like a risk. I think Mach-Lee is on the right path by only allowing that from a phone that is currently registered as a PAAK.

An alternative would be to allow a remote valet code to be created but limited. IE: Car can only go up to 15 MPH and only a distance of 1 mile.

Both of these would be great options.

mkhuffman · Sep 8, 2022

DevSecOps said:
you can yell through a closed door "Alexa, open the front door" and it will unlock.

Wow. Yet another reason I will never get Alexa. Now I hate her even more. ?

FrunkMonk-e · Sep 8, 2022

mkhuffman said:
Wow. Yet another reason I will never get Alexa. Now I hate her even more. ?

I don’t want to go too far off the topic here, but in most cases voice activation is managed through a skill where the user determines the phrase. You could set it to something completely random like “Rumpelstiltskin spin me some gold.” Or you don’t have to use voice activation at all.

mkhuffman · Sep 8, 2022

FrunkMonk-e said:
I don’t want to go too far off the topic here, but in most cases voice activation is managed through a skill where the user determines the phrase. You could set it to something completely random like “Rumpelstiltskin spin me some gold.” Or you don’t have to use voice activation at all.

I am going to yell “Rumpelstiltskin spin me some gold" outside your front door and see what happens. ?

FrunkMonk-e · Sep 8, 2022

daverp said:
I blame the airport valet for accepting your car without a key fob.

If anyone is to blame it’s me (and Ford) for not anticipating this scenario. The valet has never seen a Mach-E before or a passcode system for opening and running the car.

Valet Mode: Weakness Exposed

ZuleMME

Well-Known Member

Kamuelaflyer

Well-Known Member

Tampamike

Well-Known Member

Jimrpa

Well-Known Member

FrunkMonk-e

Active Member

iFeckless

Well-Known Member

daverp

Well-Known Member

ShaggySS

Well-Known Member

DevSecOps

Well-Known Member

FrunkMonk-e

Active Member

mkhuffman

Well-Known Member

FrunkMonk-e

Active Member

mkhuffman

Well-Known Member

FrunkMonk-e

Active Member

Similar threads