Car-maker Ford has withdrawn its software for automatically unlocking a user’s web accounts after a blogger pointed out its security shortcomings
Ford Motor Company has temporarily withdrawn its Key Free Login software after a blogger pointed out security flaws in the application.
Ford launched Key Free Login last week as a way to demonstrate the benefits of its contactless locking and unlocking system for automobiles by transferring the concept to the web.
Once installed on an iPhone and a Mac OS X computer, the software logs a user into all of his web accounts whenever the smartphone is nearby, and logs out when the device is taken away, eliminating the need to type passwords. The Mac detects the presence of the iPhone via Bluetooth.
The software was initially launched in France in cooperation with advertising firm Ogilvy Paris, which created a video (in English) promoting the concept.
However, a French blogger noted that the system may open up certain security loopholes, since, for example, the user’s passwords are stored in an easy-to-locate plain-text file.
“Nothing is encrypted,” wrote blogger Korben (in French). “All the logins and passwords are in cleartext, as well as the MAC adress of your mobile. There’s no need to spoof your Bluetooth to access your Gmail inbox, all you have to do is look in this file.”
Korben also noted certain practical problems. For instance, if the iPhone isn’t present, the user can login manually, but the KeyFree software logs out automatically after a few minutes.
Ford quickly withdrew the software and said in a response to the Korben blog it is planning an update with more robust security.
The company said initially it hadn’t seemed necessary to provide better protection for the stored passwords, pointing out that in the Firefox browser the user can freely view stored passwords in the Security preferences pane of the browser.
“We have taken into account your remarks concerning the encryption of users’ usernames and passwords,” stated a spokesperson for Ford France’s Key Free Login team. “Our teams are already working toward a new release as quickly as possible and we will keep you informed on its availability.”
Despite the hiccup, Ford’s concept has some merits, according to Paul Ducklin, Sophos’ head of technology for Asia Pacific. The feature that automatically logs the user out of his accounts could be worth having, he wrote on Friday.
“I particularly like the last part – the auto-logoff,” Ducklin wrote in a blog post. “I’m assuming the browser plug-in keeps polling your phone to make sure it’s still around, and clears your session cookies if it isn’t. That’s a fantastic feature.”
However, he argued that the automatic login feature goes against good security practice.
“If this were a contactless entry system for your car, it would be one which unlocked, started and automatically drove off in your vehicle every time you went near it,” he wrote. “My advice is to take exactly the opposite approach to Ford’s password manager application. Don’t get into the habit of automatically logging in to social media sites whenever you are at your computer. Login only when you actually want to use the relevant service, such as Liking an article or Tweeting a news item.”
How well do you know your tablets? Take our quiz.