LF Energy Advances EV Charging Security with Independent EVerest Audit
LF Energy is pleased to announce the completion and public release of a comprehensive security audit of the EVerest project, conducted by Quarkslab and coordinated by the Open Source Technology Improvement Fund (OSTIF). This audit reflects LF Energy’s ongoing commitment to strengthening the security, reliability, and trustworthiness of the open source software that underpins critical energy and mobility infrastructure.
EVerest is an open source firmware stack for electric vehicle charging stations, hosted by LF Energy and deployed in hundreds of thousands of charging points worldwide. It plays a critical role at the intersection of electric vehicles, power grids, cloud services, and local energy systems, making security a foundational requirement for its continued adoption and evolution.
Audit Scope and Methodology
The security assessment was carried out over 42 days and focused on the publicly available EVerest codebase and key protocol implementations. Quarkslab began the engagement with an in-depth discovery phase, reviewing project documentation and architecture before developing a custom threat model in collaboration with the EVerest maintainers. This model guided the audit toward the most relevant attack surfaces and real-world threat scenarios.
The audit combined:
- Static analysis and manual code review,
- Dynamic analysis and runtime inspection,
- Protocol-level assessment across critical components such as OCPP and ISO 15118.
This approach allowed the auditors to evaluate how data flows through EVerest in real deployment scenarios, while systematically identifying vulnerabilities and logical weaknesses.
Key Findings and Outcomes
The audit identified a total of 14 findings with security impact, spanning multiple severity levels:
- 6 high-severity findings
- 6 medium-severity findings
- 5 low-severity findings
- 3 informational observations
In addition to documenting these findings, Quarkslab provided clear, actionable remediation guidance for each issue, along with broader recommendations for further security hardening. Notably, the report highlights EVerest’s intentional modular design and strong isolation principles, which significantly limit the blast radius of potential vulnerabilities and contribute positively to the project’s overall security posture. All vulnerabilities have already been addressed by the EVerest community.
Strengthening Security Through Open Collaboration
Security audits are a critical part of building production-grade open source infrastructure. By identifying issues early, audits help projects improve resilience, increase operator confidence, and enable safer adoption at scale.
This engagement exemplifies the value of collaboration between:
- Open source communities and maintainers,
- Specialized security firms like Quarkslab,
- Coordinators such as OSTIF,
- And foundations like LF Energy that invest in long-term project health.
LF Energy extends its sincere thanks to everyone who contributed to this effort, including the EVerest maintainer community – especially Kai-Uwe Hermann, Ryan Cryar, and Piet Gömpel – as well as the Quarkslab audit team and OSTIF for their coordination and stewardship.
Read the Full Report
The full EVerest Security Audit Report, including the threat model, detailed findings, and recommended mitigations, is now publicly available.
- Read the EVerest Security Audit Report
- Read OSTIF’s blog post on the audit process
- Learn more about the EVerest project and how to get involved
By making this report public, the EVerest community continues to demonstrate its commitment to transparency, continuous improvement, and the shared responsibility of securing the digital foundations of electric mobility and modern energy systems.
