Fordpass account disabled #533
Comments
|
This just happend to me too. I tried creating a new account and register the VIN number but since that vin number is already registered to the original owner (my first account). That account has to transfer the rights but I can't login to that account anymore. I will try contacting ford to re-enable my account. Fordpass Netherlands |
|
I have mailed [email protected] and asked them to look into this Home Assistant addon. |
I just did the exact same thing. |
|
I have had the same problem since 1:00 am today and also an e-mail from Ford Germany I will try contacting ford to re-enable my account ( Unfortunately only possible by telephone from 10:00 am ). Fordpass Germany |
Please give me a feedback about the outcome, i'm locked too. |
|
Hello Fordpass France |
|
Same issue here, also in the Netherlands. Called the number and they told me I would need to reset my pass after 24 hours and reinstall the app. Also can not continue using this "third party app". Why is Ford doing this? This integration (correct me if im wrong) is just using their own regular API right? Why are they suddenly going so hard on account lockouts.. They also mentioned that if it happens more than 3 times your account will be permanently locked, and you will be unable to use the FordPass app again, pretty extreme if you ask me.. |
|
Happened here in the US as well. Reached out to a Ford contact about it and will see what happens from there. I agree it's extreme. I also understand Fords side, but HomeAssistant needs to be available. Their stance is actually hurting Ford as a brand for users. It's also hampering development internally as well. |
|
Knock on wood no notices here in the US and the HA integration is still functioning. I do have a separate account setup for HA so it's the only thing that ever interacts with it. |
|
I have reached out to ford as well, to investigate the possibility to see if this plugin might be able to get an official status for the ford API, hopefully they will respond. |
Was it through the FordPass Connect Project Manager as well? Just curious the path you have! |
I just sent an e-mail to [email protected], do you think there are better entry points? |
|
I just had my account unblocked by phone but I had to promise not to use the Home Assistant addon anymore. I asked if Ford has plans to come up with an addon for Home Assistant themselves but there are no plans for that yet. For now I have no other choice than to disable this addon and hope for an addon from Ford itself but I won't hold my breath on it. |
|
Blocked my account too. Problem is ford is using GDPR as argument to close account because of using the API, but GDPR is not there to protect fords use of data, it is to protect the users own personal data, which is by definition in GDPR the PERSON OWN the data, and the law is meant to protect the user against Ford using the data, not the user itself, since the data we are accesing is our own data. Ford is blocking access to our own data that we own, and Ford by consent can use, store and process. As a user owning the data we are not a data processor by GDPR, we are the owner of the data, and Ford is borrowing the data from us on the terms we accept, it is not the other way around. |
Yeah that shows Ford doesn't understand GDPR at all which would mean they are likely in violation. As I am US based, I am not protected under that. However Ford is using it as a blanket policy. The Ford team I have been in contact with was open enough to work between myself and the security team who did this action to the accounts. According to the security team, they will action any account that sees over 300 requests per day. This is by user and not VIN. Essentially that means an update every 5 minutes. However I took back to them that this is not a viable workaround as users need as close to real time as possible. Especially for those with EV's who need to track charging curve data / performance. I suggested increasing this limit to 1000 which gets it down to an every 1.5 minute update. I did state that 1500 would be best as that would be every 60 seconds. We will see what they say, but for now everyone should switch to an update every 5 minutes. Just know that you'd be limited to about 12 remote start or lock / unlock commands per day at that rate. |
|
At least if there is a limit we could work around it, maybe be using multiple accounts.. For myself I just need the charge percent and the location to do smart charging and limit the charge percent, since Fords own system is buggy and drains the 12V battery after it reaches charge limit set in the app. It is just annoying every time it stops working, and very unnecessary. I am considering just using a OBD adapter and some esphome code to to the same thing, without fordpass |
|
Very good info to know and perfectly explains why I haven't been locked out yet (FP User account solely used by HA and refresh interval set to 15m). Sadly I don't see it in the README here but I believe it's been recommended at one point or another to set up a separate account as an authorized user for your VIN if only to prevent your main account from being locked out. But it would also help here under the assumption that they'd count all requests (both from HA + the FP app) from a single account in their auditing process. |
|
Only issue with multiple accounts would be that it could look suspicious in itself having multiple on the same VIN. There is also a limit of 5 per VIN I believe and that would only get you down to every 1 minute. Personally I have myself and my spouse with accounts and so I would only be able to do 3 alternates to get data from. Not really a great experience there. My contact did hand the information over to security so they can understand it better. Hoping they play ball here and increase the limit to something reasonable. |
|
My understanding is that what usually gets people caught is excessive API calls, either too many or too frequently. But when you talk to whomever answers the phone, they always say it's because the terms and conditions don't permit third-party apps. I know most people don't read those, but I have, and they don't(I'm a lawyer, so my reflex whenever someone cites some law or contract or something as a reason I can't do something, I always see if they're right--usually the answer is no). In fact, the T&C explicitly contemplates that you might use FordPass accounts with third-party apps, so they take great care to disclaim any liability for problems the third parties might cause. The closest to a clause forbidding them is one that says you can't let a third-party use data associated with your account. But it DOES expressly allow YOU to access and use your data. I think this is aimed at all those apps that track your charging in exchange for discounts, etc--they are trying to use your data for their own commercial purposes. But this HA integration only exists to let the user access their on data for their own use. It does not seem to run afoul of the t&c. Thing is, the average IT grunt or customer-service rep doesn't get that--they just get an easy-to-digest script about "no third party apps" so they'll just tell you that. |
Not sure what model you have and I'm not familiar with how this operates in the newer Ford plug-ins, but the previous C-Max/Fusion PHEVs operated like this intentionally. While the EV battery is actively charging the onboard charger will maintain 12V power so the process can complete. Once the EV battery is fully charged or reaches its charge limit, the vehicle will then go into a top-off stage of the 12V battery and once complete, the entire thing shuts down leaving the 12v battery to operate on its own. Same as an ICE vehicle with the key off. There's no concept like many modern EVs from other manufacturers of having the 12v battery occasionally topped off from the EV battery while sitting parked (even unplugged). |
|
Out of curiosity, is everyone in this thread using the v 1.70 fix with the roundabout way for getting a login token? I just switched to that yesterday after deactivating the integration when Ford broke v 1.68. Wondering whether the newer version satisfies Ford as being more "official." |
Yes, we used 1.70 |
The mach-E is periodically recharging the 12V battery while turned off and not charging, it will start a recharge cycle when reaching 50%. This happens in all conditions, except when setting a HVB charge target in fordpass. When it reaches the charge target it shuts completely off and disables the auto-recharge loop for the 12V battery also. This does not happen if charge target in fordpass is disabled and charging is disabled on the wall box. This is why I need the HA working, as this is how I control the charging at home. Since I have the HA integration with the 12V status in a sensor I have verified this behavour. |
|
My account hasn’t been disabled (yet), but I’ve received this notice twice now in 24 hours. I’m on 1.7.0 and have my refresh on my two vehicles set to 900 seconds. This cat and mouse game is ridiculous. It shows that Ford does not understand the power of enthusiast buyers and what these actions will do to hurt their growth potential.
|
|
I understand why they are concerned about the average owner who doesn't know much about technology handing over their login credentials to apps like Optiwatt that are going to bombard their servers with API requests and try to monetize drivers' data, but most people who use HA are more tech savvy and really just want to use the data for their own purposes. The blanket, unthinking blocking of any third-party app is unnecessary and will definitely turn off enthusiasts who are able to create apps and integrations like this for almost every other connected car brand out there. I think the bigger issue is that they don't seem to have the resources or infrastructure to make their own app work with their systems half the time, and opening the sandbox to third-party players is going to be that much more overwhelming. Most of their own support employees don't seem to understand how everything works, and throwing too many third parties into the mix probably worries them a bit. What's weird though is that they make their third-party developer resources fairly widely available (though documentation is all but nonexistent). I stopped being an IT geek for a living more than 20 years ago (now I'm an IT geek for fun) and I had no problem getting a developer account and credentials and their Postman environment. I'm not sure why they'd be so open with these resources and then not let people use them. |
For me, I only want the vehicle's odometer reading for automatic daily updating in my Google Spreadsheet for personal/business expense tracking for Revenue Canada! Damn |
|
I'm in the US and got the notification to reset my password 2 days ago due to suspicious activity. It did take a few hours for the integration to stop getting new data. I just disabled the FP integration after resetting my password. It was just a "nice to have" integration, I wasn't using it for anything serious and it's not worth losing access if Ford decides to ban my account. |
|
Now on top of everything else in my life I have to try and remember to record my odometer manually...... |
|
It now seems that I'm getting these suspicious activity alerts every 24 hours. The only "workaround" right now is to "change" my password as instructed (note the same password works), and then "add device" in the FordPass integration for HA following the token retrieval steps for 1.7.0. The integration then works for almost 24 hours before Ford flags it again... I'm glad I'm using a secondary account for this, but this is super annoying. |
|
I'm on 1.70 and have the polling set to 30 minutes. I'm not getting any emails from Ford. |
|
Same issue here. Account was blocked last month, contacted service desk to unblock it. Service desk told me max polls is 250/day, so I set polling interval at 600s which gives 144/day, so should be ok. After a week it's blocked again. Don't know what to do because I'm using it for 2y already to control EV charging at home. |
|
There seems to be no way. There are many different explanations given by ford for different users when asking, so don't assume the information given from ford support is accurate. To me they are telling me the problem is that I have put the "VIN number" into "some app", and apparently they seems to not understand that the VIN number is printed on the outside of the vehicle, and still think they can block my account based on this "secret vin number" have been given away to "some app". (this is of course not the reason my account is getting blocked) The number of requests per day is probably not the reason for blocking, rather it might be what could flag the account for further investigation. Also there is not a 1:1 between number of "polls" and number of requests. Today the API is giving only 403s to me, that is the fordconnect API. The accunt linking page documented also gives 403 after logging in. Seems they have closed it, or it might have stopped working. The API endpoints are giving 403 even for valid access tokens. It could be they have soft-closed my account since I can still log in, but the API is responding with access denied on everything. The strange thing was I signed up for another "developer account", and I got the exact same client ID and secret, on a different account, with a different email address, so I am assuming this means everyone is getting the same ID/secret, and the only thing making it different is that the account linking links the access/refresh token to the specific account, and that the "client ID" and "client secret" has no actual purpose at the moment. If anyone wants to verify, the sha256 token of the client secret I got is: Last time I got the account unblocked they also threatened me with that they would block me permanently if "I used a third party app once again", so I think there is not really a path forward using the ford APIs, public API or not. Edit: I managed to try to create a third account totally separate with no vehicle linked before it was closed, and also on that one I got the same credentials, (but not working since vehicle link endpoint has been closed down) |
Thanks for documenting this. I don't use this add-on, but I do use my own custom code that polls the API every ~20 minutes to control charging via HA and OCPP. Anyway, I had just refreshed my token yesterday and it was fine, but today I started getting 403 errors all over, including the oauth page you mentioned. I thought it was just me, but I guess not. Very disappointing. |
|
Only one word comes to mind for this and it has 4 letters: %46%55%43%4B |
|
It’s very frustrating. Is it GDPR violation? They have my data, but won’t let me have it. |
|
I would say it's not in conflict with the GDPR, but it will be in conflict wit the European Data Act that will come into power September next year. That entitles users of IOT devices to the data generated by them. Cars are mentioned in the explanation of that regulation. |
|
I just got locked out of the public API as well. Comical that on that on the FordConnect API they say “who’s this for,” and the first thing listed is “independent developers.” When I go into “My Profile” I can see that my credentials have been cleared and the button to create new credentials has been locked out.
Their FAQ make it seem like a “project” needs to be registered first to create credentials. Maybe that could/ needs to be done centrally by @jonepet or @itchannel to create a “registered application,” then us actual users just leverage the linking process. |
|
I thought I got locked out last night so I pulled the plug--had my alternate account delete my car, cleared my token, uninstalled the integration. I couldn't access my car from the FP app this morning, and it eventually put up a screen I can't get past that says it's in "maintenance mode." I texted Ford's support to ask what was up, assuming this was their way of stealth-blocking me. Turns out there's legitimately an issue with remote access: "FordPass is currently experiencing an outage impacting Remote Commands including lock/unlock, remote start requests and Phone as a Key. Our teams are working to resolve this as quickly as possible, however there is no ETA at this time." Kind of wish I hadn't pulled the plug because the integration was working well for me--mostly because I used it for "read only" purposes after reading a comment somewhere in this thread about the integration hammering lock commands, etc, if it didn't get an immediate response. I'm thinking the frail nature of their systems is the real reason they get wigged out about us using this integration, and they're just hiding behind the TOS or EU data laws or what have you. I'm a lawyer, and whenever someone tries to justify their position with "the law says" or "the contract says" but can't say which law or contract clause, I go read the relevant authority. I've read the TOS, and my opinion is that not only do the TOS not forbid this integration, it arguably explicitly permits us to use it, and my opinion is that an argument can be made that Ford is violating the TOS by blocking us from using this integration. It also doesn't make sense to offer developer accounts and public API access for third-party app development and then block people for doing it. Granted, I left IT over 20 years ago to go to law school (which is the equivalent of leaving most other professions for like 100 years) but I don't remember things working that way. No other company I know of that offers developer access like this then shuts you down for, you know, developing software. I know some people have been talking to some folks at Ford already, so I've been holding off, but I do happen to have one connection in Ford's C-suite whom I know personally. It'd be a bit of a "Hail Mary," so I've been saving it for "emergency use only," but if the official dev team wants me to try throwing that Hail Mary, I can give it a shot. |
My access came back, so looks like it was the outage, and not being "locked out." I guess I was a bit apprehensive with all of the people reporting being locked out. |
Wait, are you able to get a new OAuth token? Whenever I sign in to the OAuth page, I get the "get_client_permissions_error, 403-Forbidden." error. My existing (several day old) token is apparently expired, according to the API, whenever I make a request. |
Yes, I was just now able to do that. I will say that it didn't seem to work at first. In frustration, I highlighted the URL in my browser and hit return to "resubmit" it and that seemed to do the trick. I also used a private window in Firefox to try and cut down on interference from cookies, etc. |
It's still not working for me, even with private windows, new browsers, etc :( The fact that the Word doc hosted on their onedrive, detailing how to manage tokens, is gone is also cause for concern for me... |
I just want a straight answer from Ford about what to expect. Tesla overhauled their API recently, but made it clear what the path forward was and showed zero hostility to 3rd party app developers (basically you need to register as a "fleet" manager to write anything to the API). I have a feeling that a lot of this dev work is done by 3rd party vendors and that very few people, if any, at Ford have a comprehensive understanding of the entire Fordpass program from end to end, and are therefore unable to assess risk and make authoritative decisions on fringe issues like this. I doubt there are many other entities out there trying to scrape Ford's API. Yanking the C-Suite's chain would be awesome, if for no other reason than to understand their thought process so that we can calibrate our expectations. |
|
I think they got tired of being asked, so now the logged in page on developer.ford.com is saying this instead of the greyed out "create credentials"-button "At this time, we are no longer accepting sign-ups for the FordConnect API ". |
|
What a stupid game they're playing... while still advertising "Add Ford to smart home products" in their use cases section. Because: "Customer access to their Ford vehicles using smart home devices adds convenience every day". The key benefits according to their own page are:
Oh really? The only acceptable reason to block access is this potential security issue (although, is that really critical without the access token?):
By the way, this page lists the data points available: https://developer.ford.com/eu-connected-vehicle-data |
|
Would anyone that can dictate this extremely well want to take a stab at Change.org and push it to Ford? It's worth a shot. |
|
Good idea!
…____________________
Giuliano Moretti
Em seg., 4 de nov. de 2024 às 09:07, BobMac57 ***@***.***>
escreveu:
Would anyone that can dictate this extremely well want to take a stab at
Change.org and push it to Ford? It's worth a shot.
—
Reply to this email directly, view it on GitHub
<#533 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A2HSEXS5X2B6H32DL5J7TATZ65IN5AVCNFSM6AAAAABNTRAJWSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJUGU2DIMBRGQ>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
|
For an idea of how messed up Ford's software development team is, take a look at this: https://www.macheforum.com/site/threads/ford-developer-api.40081/ The person who responded is an "ex" software dev with Ford Pass, and they didn't even bother to read the links I posted, to say nothing of not even knowing that Ford exposed a public API. Not sure how "ex" they are, but it's not that (a) API endpoints and documentation magically appear overnight - that takes months of planning, at least, and (b) FordPass isn't even that old of a product. |
I suspect that their general inclination is correct, in that the API was not intended to be consumed by end users. If I had to guess, the purpose of this API was intended to be exclusively b2b with companies that have a CISO that knows what they're doing. The worst case scenario for any always-on connected fleet of anything that contains a lot of user data is a massive breach. If they have a contract with a smart home company, they can enforce terms with them and hang them out to dry if said company exposes user data via negligence or malice. In our case, if thousands of HA user's environments get breeched, and Ford product user data gets sold, or worse chained to some other attack (think location monitoring of a head of state for instance), the liability for Ford is potentially catastrophic. I'm speculating here a bit obviously but would be surprised if this wasn't a significant part of their thought process. At least for me I find it extremely useful to understand a person's frame of mind when trying to persuade them of something. |
That's great; however, I don't remember seeing anywhere in the TOS regarding personal use. Plus, if they had just read the documentation in the link provided, they would have seen that the API is/was indeed public, instead of just jumping to the conclusion of "this is unauthorized backdoor use of internal APIs". I work with plenty of devs who are single-track minded with heavy tunnel vision, which leaves them unable to see what the issues are before jumping to obviously nonsensical and waste-of-time conclusions. |
I agree that that's probably their thinking, but it's also based on a fundamental misconception of Home Assistant. From a legal perspective, those of us using HA are not "third parties"--we are actual parties to the agreement. Most of us use HA on our own equipment and are the only ones who have access to it. Most of us also have a house that other people built, but the fact that someone else built it doesn't undo the fact it's our house and we control access to it. Treating HA like Optiwatt and Smartcar.com and the like is comparing apples to oranges. Having been an IT geek for a living before becoming one for fun, I remember this attitude cropping up in another context: fear, or even outright knowledge, that the system is not actually very stable or well developed, and a fear that allowing access to it to too many people will reveal that. The hyper-control is a symptom both of ego and a fear of having one's lack of competence discovered. Smaller companies than Ford with fewer resources have no problem allowing people reasonable access to their APIs even when they don't officially have a public API (hat tip to Emporia Energy, for example, who allows an unofficial "official" HA integration to exist). A company of Ford's size and resources should be able to build a system that can handle HA users accessing it, but I think they're afraid that allowing such access will reveal that they can't build such a system. |
|
There is some good news at the horizon: the European Data Act will come into power on 12 September 2025. That entitles users of IOT devices to the data generated by them See this explanation:
So, in less than a year from now, they will be forced to make this data available to us. Hope they give in earlier and provide a good API well before that. |
The problem I see in your logic is if they never provide a public API then how can they be accused of withholding data when there's no API? |
|
I opened a ticket last week to ask to create a project, this is the (ridiculous) reply I just received: Thank you for your interest in Ford’s Developer Marketplace and FordConnect APIs. Unfortunately for now a decision has been made to no longer provide credentials and access for FordConnect. If this changes in the future, we will update developer.ford.com. Thanks! Vasanthi |
|
I got the same mail for a request I sent in september. I was already using the fordconnect APIs until ford pulled the plug... I guess the buzz we generate is starting to set things in motion inside Ford. |
It's not about whether they have an API but about whether they have data. See the following explanation from the same site:
For further details, see the regulation here. |
That is quite vague and open to all sorts of interpretation. I do not see it explicitly stating that they must provide an API for me to access my data. They can argue that I do have access to me data...through their app. |
|
I would say this is a description of an API: |
Funny, sounds like an exact application for my C-Max. In this case as well as for those with the Fusion Energi/PHEVs they have dropped nearly ever useful function from the FP app. Right now all we get is basic EV/fuel range/levels, lock/unlock/remote start, location, odometer, oil life, and basic warning light notifications. But their API has WAY more data coming in from the vehicle, most of which previously existed either in FordPass or the previous MyFordMobile app. They are receiving and storing it. Just not making it available to me as an end user. This is really what I want. Just give me the raw data and interpret it as I see fit. Also the functions for scheduled charging and cabin preconditioning are still there in the TCU. That firmware has not been updated and at least in the very early days of the 4G upgrades for these vehicles those worked. That's also gone and SORELY missed. Pie in the sky kind of request, but if they want to wash their hands of these older vehicles in light of these requirements, let me activate the TCU on my own cellular plan and point it to my own servers. I'd be more than happy to disconnect it completely from Ford and talk to the vehicle directly. |
I agree as long as "data cannot be directly accessed by the user from the connected product or related service" then there needs to be an API to access all of our data. |
and others
Today I received an email from Ford that my Fordpass account has been disabled due to suspicious activity.
_This is part of the mail.
"We have disabled your FordPass Account because we have been notified of suspicious activity related to your account.
For an optimal experience, we recommend that you do not use FordPass with third-party apps, as this can result in vehicle quality issues such as faster battery drain and other potential safety risks."_
I use this app for Home Assistant as the only app besides the Fordpass app itself.
Are there more users who have received such an email from Ford?
According to Ford, a number of third party apps are allowed, but this monkey probably isn't one of them.
Is it possible to have this app approved by Ford because I use this more than the Ford app itself?
If this is not possible or successful, I'm afraid I'll have to delete this app.
Fordpass user in the Netherlands (Europe)
Thanks.
The text was updated successfully, but these errors were encountered: