Attempted Ford Pass Hack

[RalpL]

This isn't a "hack". Anybody with a Fordpass account can request access to any vehicle. All they have to do is input the VIN into the app.

I can vouch for what Pioneer74 is saying. I found an incoming F-150 to one of the local dealerships. I took the order number and VIN from the window sticker to enter into tracker software for the latest status. The tracker software then referred to it as my truck. Out of curiosity, I entered the VIN into my FordPass app to see if I could get more info. The app ask me to enable (or words to that effect), which I clicked. After a long waiting time, I received a message that my request was denied. Bottom line - we'll all need to be on guard for malicious activity.

Sponsored

 

[MikeG]

They need rotating 2FA in the truck's settings or something. Sure you should be able to share with another account via email, but that person should have to physically start the truck and input the 2FA code to have access.

 

[Orlando150]

They need rotating 2FA in the truck's settings or something. Sure you should be able to share with another account via email, but that person should have to physically start the truck and input the 2FA code to have access.

Or just add an account option to auto decline requests. Most people probably don't use this feature or use it once to add family and then never again.

 

[RalpL]

Or just add an account option to auto decline requests. Most people probably don't use this feature or use it once to add family and then never again.

That's what I was also thinking. Kind of like telling Facebook, WhatsApp or Skype to decline friend requests, etc.

 

[JediNut]

My old supervisor used to have a sign on his wall that said “I drink because your password is password”
In all seriousness there’s a reason most secure sites force passwords changes. Good password hygiene will keep you better protected. Use a password keeper or a revolving password naming convention Also if possible always enable two factor authentication. something you know (password) something you have (cell phone). Not 100% safe but nothing is.
Cyber bad actors want your user name and passwords and use very clever phishing scams to trick you into providing.
Banking and email credentials are at top risk. If you use the same password over multiple platforms they are all at risk.

<begin password security lecture>
Good advice... especially the "password keeper" recommendation. I do not know 90% of my passwords, I don't have to. I use 1Password and have it generate a long, random string for all my passwords. It will also keep an eye out for any sites that get compromised for which you have saved a password. Like I said, I use 1Password, but there are others... for work we use LastPass (but I don't particularly care for it.)

One thing to note... the recommendation now is NOT to change your passwords on a regular basis. Pick a really good, secure password (or have your password manager generate one for you) and keep it. Change it only if needed, i.e. the site where you use that password was compromised (why you use different passwords everywhere). Continually changing a password leads to (1) bad passwords because you tend to make ones that are easier to remember, or (2) an unencrypted "notepad" file or piece of paper with passwords written down.
<end password security lecture>

Sorry if this sounded condescending to anyone... it wasn't meant to call anyone out. I'm just offering some advice from someone who has been in the business for 30+ years.

Stay safe out there!

 

[MikeG]

Or just add an account option to auto decline requests. Most people probably don't use this feature or use it once to add family and then never again.

If someone steals your phone or puts malware on it they could still disable that setting on your Ford Pass App and then add themselves. Having a 30 sec rotating 2FA code (like Google Authenticator) on the truck's nav will make it so they have to be physically at the truck.

Just thinking of the most secure option for Ford. I could see a huge lawsuit if a hacker remote starts a vehicle in a garage and someone dies of carbon monoxide poisoning.

 

[SonnyDigs]

If someone steals your phone or puts malware on it they could still disable that setting on your Ford Pass App and then add themselves. Having a 30 sec rotating 2FA code (like Google Authenticator) on the truck's nav will make it so they have to be physically at the truck.

Just thinking of the most secure option for Ford. I could see a huge lawsuit if a hacker remote starts a vehicle in a garage and someone dies of carbon monoxide poisoning.

I'm thinking it will only run 10 minutes on remote start.

 

[SonnyDigs]

Well they are at it again this morning..

 

[LarryP]

Well they are at it again this morning..

Unreal! Hackers!

 

[JediNut]

In all seriousness there’s a reason most secure sites force passwords changes.

it is no longer considered “best practice” to force people to change their passwords on a regular basis. That actually leads to insecure passwords, because the user has to continually pick a new password that they have to remember. It is Better to force a secure password choice that the user is allowed to keep for a long time and becomes muscle memory.

 

[Sbdavis1]

I use “FMCSorryAboutYourTruckPleaseSendMeAPmAndIllDoNothing@Always”. Yet to be hacked or helped.

 

[notabot]

I use “FMCSorryAboutYourTruckPleaseSendMeAPmAndIllDoNothing@Always”. Yet to be hacked or helped.

Shoot! That is my password too!!!

 

[Jglew82]

I've denied access to mine from someone named "Terry" at 3am 4 times now. Knock on wood, it finally stopped a few months ago. It started right after I purchased mine in January, so I'm guessing they're just inputting a VIN character incorrectly.

 

[780]

Shoot! That is my password too!!!

Sponsored