Bluetooth To The Rescue! NHTSA Does About Face On Massachusetts Telematics Access Law

A letter from NHTSA to Massachusetts' Attorney General walks back opposition to the state's expanded vehicle right to repair law. Repair advocates worry that NHTSA's compromise is a bad deal.

A letter from the National Highway Traffic Safety Administration (NHTSA) to Massachusetts’ Attorney General walks back a June warning to automakers not to comply with the state’s expanded vehicle right to repair law by providing owners and independent garages with access to vehicle telematic data needed for repairs.

The letter, dated August 22, was signed by Kerry Kolodziej, an Assistant Chief Counsel for Litigation and Enforcement at NHTSA - the same attorney who authored the June 13th letter to the lead counsel at 22 major U.S. automakers that argued that the Massachusetts law poses a safety risk and therefore violates the National Traffic and Motor Vehicle Safety Act, (Safety Act), 49 C.F.R. Chapter 301.

That followed Massachusetts Attorney General Andrea Joy Campbell’s decision, in March, to begin enforcing the 2020 expansion of the state’s automotive right to repair law, as a case challenging the legality of the law, Alliance for Automotive Innovation vs. Campbell, remained in limbo in the courtroom of Federal Judge Douglas Woodlock.

Kolodziej’s latest missive, addressed to Massachusetts’ Assistant Attorney General Erik Haskell, takes a different tone: declaring NHTSA firmly supportive of vehicle owners’ right to repair their cars. NHTSA, Kolodziej argues, has reached agreement with the Massachusetts Attorney General that the telematics access law can be implemented “promoting consumers’ ability to choose independent or do-it-yourself repairs—without compromising safety.”

What changed? Well, apparently Bluetooth - a quarter century old, short-range wireless protocol. Kolodiej said that she was writing to Haskell “to confirm our mutual understanding of that path forward” for near-term implementation of the Massachusetts Data Access Law. That apparently rests on automakers giving local repair shops access to vehicle telematics via Bluetooth connections - or some similar short range protocol - thereby satisfying the law’s requirement of access to wireless telematics, while eliminating what NHTSA considers the risk of large scale and remote attacks on vehicles.

“In NHTSA’s view, a solution like this one, if implemented with appropriate care, would significantly reduce the cybersecurity risks—and therefore the safety risks—associated with remote access…Such a short-range wireless compliance approach, implemented appropriately, therefore would not be preempted,” Kolodiej wrote.

But will it?

For one thing, limiting telematics access to short range protocols like Bluetooth offers few advantages over the status quo of physical access to repair data via wired connection to the under the dashboard OBDII port. In both cases, vehicle owners need to physically deliver their vehicle to the garage in order to get access to its data. Authorized repair providers, however, would be able to remotely access telematics data for vehicles via cloud based management interfaces would enjoy a considerable competitive advantage.

Auto Care: Bluetooth isn’t the answer

In a statement, the Auto Care Association said that it appreciated NHTSA’s “willingness … to revisit its position on the enforceability of the law” but “does not support a Bluetooth solution; short range wireless communication does not create the level playing field expected by the voters of Massachusetts.”

And, while the ballot measure approved by Massachusetts voters in 2020 may have set an aggressive timetable for implementing an independent, non-OEM platform for accessing vehicle telematics data, there has been little evidence that automakers have made efforts to implement such a solution in the intervening years. In fact, when asked by Judge Woodlock what steps they had taken to prepare for having to comply with the Massachusetts law, should he rule against them, automakers acknowledged they had made no efforts to comply with the law in the two years since its passage.

The bigger issue may be that NHTSA’s focus on the potential of remote cyber attacks on vehicles stemming from broader access to wireless repair data overlooks the actuality of widespread and exploitable vulnerabilities in vehicle telematics systems that have already been deployed by major automakers and suppliers. The report, Web Hackers Vs. The Auto Industry, is just one recent example of the cybersecurity flaws that are rife in smart, connected vehicles - and about which NHTSA has shown little interest.

NHTSA says its working to minimize risk. Really?

Kolodiej’s letter seems to anticipate that criticism. The letter takes pains to emphasize that NHTSA’s concerns about the cyber risk to connected vehicles aren’t limited to owners or independent repair professionals.

“NHTSA wishes to emphasize that its concerns regarding risk associated with the broad ability to remotely access and send commands that control a vehicle’s critical safety systems do not arise from a belief that any particular entity or person seeking to repair a vehicle—whether a vehicle manufacturer or manufacturer-affiliated dealer, an independent repair facility, or a do-it-yourself vehicle owner—necessarily poses a greater cybersecurity concern than another,” she wrote.

NHTSA is working to “minimize this risk at any level of access—whether by an original equipment manufacturer, dealer, or independent repair facility,” she wrote. The agency will “continue to evaluate safety programs and protocols as technology in this area evolves,” the letter reads.

Time will tell if that promise is born out. In the meantime, those supporting the expanded Massachusetts law see reason for optimism in NHTSA’s grudging acquiescence on the right to repair law.

Despite the compromise, automakers are now on notice that they must comply with the Massachusetts law. That gives aftermarket service providers leverage to work out “what compliance looks like,” wrote one expert with knowledge of the case.