The Open Source Technology Improvement Fund is proud to share the results of our security audit of EVerest. EVerest is an open source project hosted by LF Energy, which functions as a firmware stack for EV charging stations. Thanks to efforts by Quarkslab and with support from LF Energy, EVerest continues to operate quickly and effectively in millions of charging stations worldwide.
Audit Process:
The audit team at Quarkslab spent 42 days on this engagement. First was a discovery period, where relevant documentation and materials were compiled and a threat model of the project developed. Then, using static and dynamic analysis tools as well as manual code review, the project was inspected for vulnerabilities and logical fallacies. Using tools to see code execution in runtime scenarios allowed auditors to more deeply understand how data moves in the complex EVerest workflow, while the threat model guided the auditors to areas under security threat and helped with determining the severity of identified bugs.
Audit Results:
- 14 Findings with Security Impact
- 6 High
- 6 Medium
- 5 Low
- 3 Info
- Custom Threat Model
- Recommended Fixes for 14 Findings
- Further Security Work Recommendations
EVerest supervises multiple systems of communication between siloed entities involved with vehicular charging: the vehicle, local energy generators, electrical grids, and cloud functions. It does this in ways that are universal, secure, and compliant with standards. While the audit uncovered a number of findings, Quarkslab’s report also notes that the project demonstrates intentional design and an emphasis on isolation that is highly commendable for its positive impact on the project’s overall security health. If you would like to contribute to EVerest, you can find opportunities to participate on their webpage.
Thank you to the individuals and groups that made this engagement possible:
- EVerest maintainers and community, especially: Kai-Uwe Hermann, Ryan Cryar, and Piet Gömpel
- Quarkslab, especially: Sébastien Kaczmarek, Philippe Azalbert, and Sébastien Rolland
- LF Energy
You can read the Audit Report HERE
You can read LF Energy Blog HERE
Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, reach out to [email protected].
Follow our Community Calendar to stay up to date with OSTIF events: https://lu.ma/ostif-meetups