fordpass-ha
fordpass-ha copied to clipboard
itchannel
Locked out of Ford Account
I wasn't able to access my ford account at all. I finally got a hold of someone and they said they lock any account that has over 20,000 API calls in a week. I didn't see anywhere to change the interval for API calls.
What else do you have that touches your FordPass data?
My utility offers a rebate for 'Off-Peak" charging who's app was refreshing and calling the API every 5 Minutes 24/7 that's 10,080 calls from just one App, before calls from the FordPass app, phone widgets, ect.
Since removing the utilities access, the interval can be attributed to FordPass/widget refresh and the HomeAssistant refresh calls.
For what it’s worth the same happened to me today; my accounts been locked.
Also, see this:
lots of pages:
https://www.macheforum.com/site/threads/unauthorized-api-use-can-disable-your-account.13893/page-11
Link I posted above suggest it isn’t even a number of calls it’s that the request didn’t come from FORD APP. This app is ALL I had setup to do anything with my vehicle. Thanks,Blaine--Sent by carrier pigeonOn Nov 29, 2022, at 15:10, itchannel @.***> wrote: I'd be interested to know if you were using any other apps that use the Fordpass API? As by default the HA integration only makes a vehicle call every 15mins. Of which that involves at max 5 API requests (Per Vehicle).
Call to check oauth token Refresh or renew if needed Get latest Vehicle status from /status endpoint Get latest Messages from /messages
So in theory the maxAPI calls it should be making per week is 3,360 calls (Per Vehicle). which is only 20 per hour which is nothing in API terms.
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: @.***>
So currently the integration checks every 5mins for status updates. Which shouldn't cause any API issues as that's barely anything but if Ford are making the limit even less then I could add the ability to set your own update interval in the GUI or you can do it manually by editing the init.py files on line 37 and changing the below line to another value in seconds (Keep it more than 300)
SCAN_INTERVAL = timedelta(seconds=300)
Is that not what they wanted here?Feature Request: Forcibly Limit API Calls · Issue #217 · itchannel/fordpass-hagithub.comI appreciate anything that could be done but I can’t have my app not work; I won’t be able to continue forward with it. Yesterday started the evidently long journey to getting account unlocked. Thanks,Blaine--Sent by carrier pigeonOn Nov 29, 2022, at 15:18, itchannel @.***> wrote: So currently the integration checks every 5mins for status updates. Which shouldn't cause any API issues as that's barely anything but if Ford are making the limit even less then I could add the ability to set your own update interval in the GUI or you can do it manually by editing the init.py files on line 37 and changing the below line to another value in seconds (Keep it more than 300) SCAN_INTERVAL = timedelta(seconds=300)
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: @.***>
@blaine07 they wanted a physical limit which would be hard to enforce with HA reboots etc. However adding the ability to change how often it updates for each individual user is probably the way forward.
I've been away for a while but will see what I can mock up later today.
1.39 has been released which includes a new default poll interval of 15mins instead of 5 as well as the ability to change this in options.
Locked out yesterday.
- Nothing else is using this API aside from the FordPass app. I don't use third party services and don't give my credential to anyone. This is the only thing I have accessing the API.
- It's running on my own instance on my own hardware in my own house, and not on an AWS instance, not Nabucasa, etc.
- Possibly related to update intervals, I'll offer that I'm connected to two vehicles with the same credentials. Err, was connected.
I my account was locked out yesterday.
I do have two vehicles connected through Home Assistant.
I can't believe Ford would do this to us as a paying customer!
@itchannel Thank you for all your work on this integration! It has served my family well over the years, and I hope Ford can pull their heads together and get this fixed for all of us.
also to me 2 cars no longer usable with integration; blocked account, error code fordpass app: CAIAH0320E I was hoping to fix it when I saw that the new update was published 😭
Add me to the list of people locked out yesterday. I also have two vehicles and I got the same email as above plus I get the same CAIAH0320E error code when I try to login.
For those that have not done so already please call Ford Customer service at 800-392-3673. They are taking reports and creating tickets. They person I spoke to said they have been getting a lot of calls.
My guess is Ford recently updated their security policy's and did not take this use case into consideration.
Well, I just got off the phone with Ford (833-385-0512). They made me delete my FordPass integration from Home Assistant and said it would be 3 to 5 business days before they re-enabled my account.
I'm so pissed off with Ford right now. Their API is publicly available, but now we can't use it.
I will set up a burner account once my Ford account is unlocked and see what happens with that account.
Well, I just got off the phone with Ford (833-385-0512). They made me delete my FordPass integration from Home Assistant and said it would be 3 to 5 business days before they re-enabled my account.
I'm so pissed off with Ford right now. Their API is publicly available, but now we can't use it.
I will set up a burner account once my Ford account is unlocked and see what happens with that account.
They just escalated my case two days ago and haven’t heard anything since. Lady asked me if I deleted whatever and I told her yes but she was just who opened ticket 😩
That's not what I wanted to hear @blaine07
I sent a public tweet to Ford but haven't gotten a response from them, and I pointed out the FordConnect API. I doubt it will help in any way, but at least it is more public now.
Shame to hear so many people are being locked out.
What sucks is it uses the documented api calls to the 3rd party API from the documentation on developer.ford.com which I have access to. At no point does it mention any API limitations or rules. I can only guess they want to go down the paywall route.
Hopefully there might be some transparency from Ford by either working with devs to make 3rd party integrations compliant or actual open source tooling from them. More and more are going down the smart home route and integrate their vehicles into other systems like charging, energy monitoring etc :(
I'm going to bring that up when they call, if they actually call me.
I am also signed up with a developer account. Hepefully they have a plan that doesn't involve us losing functionality and having a paywall. This is effecting so many people not just in Home Automation but even with saving money with EVs and thier local electric companies.
Say, are any of you using a reverse proxy? Or Nabucasa?
I just had a conversation with an IT Security person with an onshore accent, and she asked if I were accessing the API via a VPN. I offered that I was using a reverse proxy, and she indicated that that may have been one of the flags, because there was a high incidence of IP address changes in the traffic.
I'm not going to start analyzing my traffic, but my HA install sees everything as coming from my xxx.xxx.xxx.9 machine, and transmits all traffic back to that. If there are headers with IP addresses not matching the actual endpoints, that might be what she was referring to.
In any case, she acknowledged that HA is not being locked out intentionally, and that they consider it first party not third party, and that there are people in senior management at Ford that got bitten by this same bug that are anxious to get it solved.
She suggested that the system might not flag at a reduced polling frequency, but couldn't make any guarantees. She was knowledgeable, but has spent her whole day on the phone calling people instead of being part of the team actually solving the problem.
She specifically said it was the FNA IT Security team working on solving the issue, which is comforting.
@itchannel, we're now abusing the issues system instead of reporting actual bugs and working on resolving them. Sorry 'about that. Thanks for letting us communicate here.
Say, are any of you using a reverse proxy? Or Nabucasa?
I just had a conversation with an IT Security person with an onshore accent, and she asked if I were accessing the API via a VPN. I offered that I was using a reverse proxy, and she indicated that that may have been one of the flags, because there was a high incidence of IP address changes in the traffic.
I'm not going to start analyzing my traffic, but my HA install sees everything as coming from my xxx.xxx.xxx.9 machine, and transmits all traffic back to that. If there are headers with IP addresses not matching the actual endpoints, that might be what she was referring to.
In any case, she acknowledged that HA is not being locked out intentionally, and that they consider it first party not third party, and that there are people in senior management at Ford that got bitten by this same bug that are anxious to get it solved.
She suggested that the system might not flag at a reduced polling frequency, but couldn't make any guarantees. She was knowledgeable, but has spent her whole day on the phone calling people instead of being part of the team actually solving the problem.
She specifically said it was the FNA IT Security team working on solving the issue, which is comforting.
@itchannel, we're now abusing the issues system instead of reporting actual bugs and working on resolving them. Sorry 'about that. Thanks for letting us communicate here.
I host from a static IP from my house without a VPN or reverse proxy. I honestly think this comes down to a new employee who decided to look at logs and saw a huge amount of hits through the API and rather than looking to see what's going on just started shutting down accounts.
@balthisar Interesting to hear that they acknowledge HA. Would be nice if someone from Fords dev team reached out so I could work with them to make it nicely compliant and fully supported. We can dream :) It's either someone from security wanting to limit the amount of exposure or someone from finance who thought "How can we reduce the API request costs lol"
It could potentially be using a VPN but guessing 99% of HA users just have it going out via their own network. I've always tried to limit the amount of information the integration pulls from Ford as I know some others grab internal device details and other hidden functionality which could cause problems and shouldn't really be exposed to the end user but this integration only uses the endpoints from their own 3rd party API docs 👍
Interesting that Home Assistant isn't on that list. The engineer I talked to definitely knew what Home Assistant was.
I wonder what the track is to get this integration out of HACS and into Home Assistant proper? Doing so might lend it a bit more credibility in corporate's eyes.
Does setting up a second fordpass account for this integration bypass the issue? Or do they lock your account based on vehicle vin#?
If I create a separate 2nd account and use those credentials for HA integration, then will I still be able to use the Fordpass app with my original account even if the 2nd one gets blocked? Or do they block any fordpass account linked to that vin?
Can anybody with an actively blocked account try signing up for a new Ford account and link their vehicle vin to see if that works?
@stroodle96 You cannot set up another account while being locked out without completely abandoning your original Ford account.
With that said, I have read a couple of people's posts on other forums stating only the account they were using was locked out, and their wife's account was still working without issue.
As soon as my account is unlocked, I will set up a burner account for HA, and I'll see what happens. Hopefully, the reports I have read are correct, and if they disable my burner account, who cares.
I'll tell you my experience: I shared my wife's car with my account; as a result on my app and HA I was seeing and managing the 2 cars.
with locked account I couldn't view either of the 2.
My wife's account (who has only her car on the app) remained active, I reinstalled on HA in her name and the car was manageable (although her VIN I had already used it, it didn't create blocking problems).
this afternoon they unlocked my account; i will wait a couple of days before putting it back on HA. in the meantime I think I'll share my car with my wife, so I hope that at least one of the 2 accounts will always be active: I'm not going to give up on our custom (again and always thanks @itchannel )
Thank you both for sharing. I thankfully have not been locked out yet. I created a separate shared account to use with this integration and changed the refresh rate to 30 minutes to be extra safe. Hopefully this works to prevent a total lockout of the FordPass app on my my main account.
I just called them again since they still haven't unlocked my account from like 2 months ago.. The person I spoke to said she has about 5 people call her a day about their accounts getting locked out..
Got a definite answer on why my account was locked: Cyber security team checked the logs and my account swapped IPs 1500 times in a 24 hour period so they disabled my account.
The FordPass help desk can enable peoples accounts again.
What I'm confused about is how that happened? Would the Nabu Casa cloud cause such a thing with outbound traffic?
They were not able to unlock my account. My ticket was escalated on Wed and they have till the 6th to get back to me according to the rep I spoke to just now.