T-LOG-01

Undetectability by Non-Authorized Parties.

TS 33.126 R6.6-30.

The CSP shall ensure that non-authorized personnel or processes (including automated or Artificial Intelligence based systems) that are part of the service cannot detect that interception is taking place.

References:

Asset reference: AS-TARGET-01

Attacker reference: AT-INTERNAL-01

Ensure that general privileged administrators cannot detect whether an a-priori chosen subscriber is under LI.

1. A minimal network and two user agents are available, sufficient to start a communication session between two parties.

2. An LI system is available in the above network, sufficient to provision a target for LI.

3. On the LI system, the tester has an account prepared from which a target can be provisioned.

4. On an NF that contains a POI or a TF, the tester has prepared an account with sufficient privileges to access logs.

Execute the following steps:

1. The tester notes the start time of the test, to be used later to pull the log that corresponds to the test period.

2. The tester starts a communication session from any user account and records any identifiers pertaining to this account.

3. The tester stops the communication session.

4. The tester pulls the logs from the NF for the period of the communication session.

5. The tester sets this log aside for later comparison with another.

6. The tester logs into the LI privileged account on the ADMF and sets up the same user account used in step 2 as an LI target.

7. The tester performs the same previous steps (1 through 5) from the LI target account.

8. The tester diffs the two logs.

The expectation is that there is nothing in the result of the test that can be used to determine that the a priori chosen target is under LI.

The tester submits a human-readable diff and a plain-language conclusion whether the general privileged admin can use this log leak method to ascertain that LI is occurring.

T-CONFIG-02, T-INTERFACE-SEC-10

Undetectability by Non-Authorized Parties.

TS 33.126 R6.6-30.

The CSP shall ensure that non-authorized personnel or processes (including automated or Artificial Intelligence based systems) that are part of the service cannot detect that interception is taking place.

References:

Asset reference: AS-TARGET-01,

Attacker reference: AT-INTERNAL-01,

To verify that non secured X1 connection attempts fail.

Execute the following steps:

1. The tester issues a GetAllDetails command over LI_X1 interface towards the POI under test using HTTP.

The HTTP transaction fails.

Any suitable evidence (e.g. output of netcat or packet capture), or plain language description of the failure.

T-CONFIG-02 [Editor's Note: this test is relevant whether this is configurable or hard-coded]{.mark} - T-INTERFACE-SEC-10

Undetectability by Non-Authorized Parties.

TS 33.126 R6.6-30.

The CSP shall ensure that non-authorized personnel or processes (including automated or Artificial Intelligence based systems) that are part of the service cannot detect that interception is taking place.

References:

Asset reference: AS-TARGET-01,

Attacker reference: AT-INTERNAL-01,

[Editor's Note: Write a separate test that verifies that the POIs are not visible from the Internet at large (external attackers)]{.mark}

[Editor's Note: Mutually authenticated TLS]{.mark}

To verify that TLS is used to protect LI_X1.

1. The POI under test shall expose an ETSI TS 103.221-1 LI_X1 interface

2. The tester shall have the capability to connect to LI_X1 over HTTPS (including relevant certificates).

Execute the following steps:

1. The tester issues a GetAllDetails command over LI_X1 interface towards the POI under test using HTTPS and supplying valid credentials.

2. The tester issues a GetAllDetails command over LI_X1 interface towards the POI under test using HTTP.

The HTTPS transaction from execution step 1 succeeds.

The HTTP transaction from execution step 2 does not succeed [(fails at the transport layer).]{.mark}

Any suitable evidence (e.g. output of netcat or packet capture).

T-CONFIG-02 [Editor's Note: this test is relevant whether this is configurable or hard-coded]{.mark} - T-INTERFACE-SEC-10

Undetectability by Non-Authorized Parties.

TS 33.126 R6.6-30.

The CSP shall ensure that non-authorized personnel or processes (including automated or Artificial Intelligence based systems) that are part of the service cannot detect that interception is taking place.

References:

Asset reference: AS-TARGET-01,

Attacker reference: AT-INTERNAL-01,

[Editor's Note: Write a separate test that verifies that the POIs are not visible from the Internet at large (external attackers)]{.mark}

[Editor's Note: Mutually authenticated TLS]{.mark}

The tester shall prove that using anything else but a valid certificate will fail.

[Editor's Note: write separate tests for the following:]{.mark}

[e.g.:]{.mark}

[1. expired certs]{.mark}

[2. revoked certs]{.mark}

[3. cert IDs don't match the LI_X1 IDs]{.mark}

[4. LI_X1 ID (or other parameters) missing altogether]{.mark}

[5. NEID in LI_X1 doesn't match the NEID of the POI under test]{.mark}

[6. valid cert that hangs under the wrong root of trust]{.mark}

[7. partial vs full cert chain verification by the POI (root of trust is valid, but the sub-CA is wrong)]{.mark}

1.

2.

1. The POI under test shall expose an ETSI TS 103.221-1 LI_X1 interface

2. The tester shall have the capability to connect to LI_X1 over HTTPS (including relevant certificates).

Execute the following steps:

1. The tester issues a GetAllDetails command over LI_X1 interface towards the POI under test using HTTPS and supplying valid credentials.

2. The tester issues a GetAllDetails command over LI_X1 interface towards the POI under test using HTTP.

The HTTPS transaction from execution step 1 succeeds.

The HTTP transaction from execution step 2 does not succeed [(fails at the transport layer).]{.mark}

Any suitable evidence (e.g. output of netcat or packet capture).

[Editor's note: Write MOAT: The tester shall verify that ALL interfaces are not vulnerable to the top (20?) common OWASP vulnerabilities / CBE]{.mark}s

T-CONFIG-02

Undetectability by Non-Authorized Parties.

TS 33.126 R6.6-30.

The CSP shall ensure that non-authorized personnel or processes (including automated or Artificial Intelligence based systems) that are part of the service cannot detect that interception is taking place.

References:

Asset reference: AS-TARGET-01

Attacker reference: AT-INTERNAL-01

Ensure that general privileged administrators (e.g., config reviewers, system auditors) cannot detect that interception is taking place by analysing configuration files before and after LI provisioning.

[Editor's note: configuration aspects other than configuration files are not covered by this test case.]{.mark}

1. The tester has administrative access to a network element that contains a POI that supports configuration snapshots.

2. An LI system is available in the network, sufficient to provision a target for LI.

3. On the LI system, the tester has an account prepared from which a target can be provisioned.

4. The configuration mechanism is file-based or produces structured output (e.g., XML, YAML, JSON).

5. The system supports exporting these configurations.

Execute the following steps:

1. The tester logs in using the general privileged account and exports a complete configuration snapshot.

2. The snapshot is timestamped and saved securely for later comparison.

3. The tester logs in using the LI privileged account and provisions an interception target.

4. The tester repeats the configuration export from the general privileged account.

5. The tester performs a diff on the two snapshots.

6. The tester inspects the diff for any structural or content-level indication that LI has been configured, including:

a. new service entries

b. altered service entries

c. any difference that could indicate LI activity

The expectation is that there is nothing in the result of the test that can be used to determine that the a priori chosen target is under LI.

The tester submits a human-readable diff and a plain language conclusion on whether any observed changes in config can be used to infer the presence of an LI target.

T-RES-CPU-03

Undetectability by Non-Authorized Parties.

TS 33.126 R6.6-30.

The CSP shall ensure that non-authorized personnel or processes (including automated or Artificial Intelligence based systems) that are part of the service cannot detect that interception is taking place.

References:

Asset reference: AS-TARGET-01

Attacker reference: AT-INTERNAL-01

Ensure that general privileged network administrators cannot detect whether an a-priori chosen target is under LI.

1. A minimal network and two user agents are available, sufficient to start a communication session between two parties.

2. An LI system is available in the above network, sufficient to provision a target for LI.

3. On the LI system, the tester has an account prepared from which a target can be provisioned.

4. On an NF that contains a POI or a TF, the tester has prepared appropriate CPU utilization monitoring tools. The availability of these depends on the platform. The following are offered as non-exhaustive examples: top, htop, mpstat, vmstat, iostat -c for physical hosts, or top, virsh domstats / virt-top, cgroups/systemd-cgtop, docker stats for virtual deployments.

Execute the following steps:

1. The tester measures the CPU utilization on the host, notes the baseline.

2. The tester starts a new communication session as a regular network user, using any network user account.

3. The tester takes a new measurement of the CPU utilization, records the measurement, and calculates the delta between the baseline from step 1 and this new value. It is essential that these two measurements be as close in time as possible. An automated (scripted) process should be used to take multiple samples.

4. The tester inserts a new target into the LI stack, provisioning the interception for full content.

5. The tester repeats the above measurements steps.

The expectation is that there is nothing in the result of the test that can be used to determine that the a priori chosen target is under LI.

The tester will provide the two raw measurements, and the delta in tabular form, both for the non-target and target calls respectively along with a plain-language conclusion whether the test can detect LI activity.

T-RES-CPU-04

Undetectability by Non-Authorized Parties.

TS 33.126 R6.6-30.

The CSP shall ensure that non-authorized personnel or processes (including automated or Artificial Intelligence based systems) that are part of the service cannot detect that interception is taking place.

References:

Asset reference: AS-TARGET-01

Attacker reference: AT-INTERNAL-01

Ensure that non-LI authorized network administrators cannot detect whether the LI function in an NF is performing interception.

1. A minimal network and two user agents are available, sufficient to start a voice communication session between two parties.

2. An LI system is available in the above network, sufficient to provision a target for LI.

3. On the LI system, the tester has an account prepared from which a target can be provisioned.

4. On an NF that contains a POI or a TF, the tester has prepared appropriate CPU utilization monitoring tools. The availability of these depends on the platform. The following are offered as non-exhaustive examples: top, htop, mpstat, vmstat, iostat -c for physical hosts, or top, virsh domstats / virt-top, cgroups/systemd-cgtop, docker stats for virtual deployments.

Execute the following steps:

1. The tester logs into the system from both the non-LI-authorized account and the LI-authorized account.

2. The tester measures the CPU utilization on the host, notes the baseline.

3. The tester conducts a call using a test device configured as a regular network user, and:

a. Continuously monitors the CPU utilization

b. Records the raw CPU utilization measurements at the following steps of the call:

i. STEP 1 (Initial INVITE is seen at the NF)

ii. STEP 2 (call is answered)

iii. STEP 3 (BYE is seen at the NF)

iv. STEP 4 (Session is closed)

1. For each measurement in step 3b, the tester calculates the delta between the baseline and the measured CPU utilization.

2. The tester repeats steps 2-4 five times and calculates the average CPU usage at each step.

3. The tester (in LI-authorized mode) activates a new task to intercept the test device including both IRI and CC with no service scoping.

4. The tester (in non-LI-authorized mode) repeats steps 2-5.

5. The tester compares the average calculated in step 5 with the average calculated in step 7.

The expectation is that there is nothing in the result of the test that can be used to determine that the a priori chosen target is under LI.

The tester will provide the two raw measurements, and the delta in tabular form, both for the non-target and target calls respectively, along with a plain-language conclusion whether the non-LI-authorised admin can use the CPU utilization side channel to detect LI.

T-RES-NET-05

Undetectability by Non-Authorized Parties.

TS 33.126 R6.6-30.

The CSP shall ensure that non-authorized personnel or processes (including automated or Artificial Intelligence based systems) that are part of the service cannot detect that interception is taking place.

References:

Asset reference: AS-TARGET-01

Attacker reference: AT-INTERNAL-01

Ensure that general privileged network administrators cannot detect whether an a-priori chosen target is under LI.

1. A minimal network and two user agents are available, sufficient to start a voice communication session between two parties.

2. An LI system is available in the above network, sufficient to provision a target for LI.

3. On the LI system, the tester has an account prepared from which a target can be provisioned.

4. On an NF that contains a POI or a TF, the tester has prepared appropriate network bandwidth probes on all the network interfaces on the NF. The availability of these depends on the platform. The following are offered as non-exhaustive examples: iftop, nload, ip -s link, bmon, etc. in physical hosts, or ethtool -S , ovs-vsctl or ovs-ofctl for Open vSwitch, libvirt / virsh domifstat for KVM/QEMU VMs, cAdvisor / Prometheus and Grafana for Docker/Kubernetes virtual deployments

Execute the following steps:

1. The tester measures the network interface utilization on the host, notes the baseline.

2. The tester starts a new communication session as a regular network user, using any network user account.

3. The tester takes a new measurement of the network interface utilization, records the measurement, and calculates the delta between the baseline from step 1 and this new value. It is essential that these two measurements be as close in time as possible. An automated (scripted) process should be used to take five samples.

4. The tester inserts a new target into the LI stack, provisioning the interception for full content.

5. The tester repeats the above measurements steps.

The expectation is that there is nothing in the result of the test that can be used to determine that the a priori chosen target is under LI.

The tester will provide the two raw measurements, and the delta in tabular form, both for the non-target and target calls respectively along with a plain-language conclusion whether the test can detect LI activity.

T-TIMING-06

Undetectability by Non-Authorized Parties.

TS 33.126 R6.6-30.

The CSP shall ensure that non-authorized personnel or processes (including automated or Artificial Intelligence based systems) that are part of the service cannot detect that interception is taking place.

References:

Asset reference: AS-LI-PRODUCT-06

Attacker reference: AT-INTERNAL-01

Ensure that LI activity cannot be detected by observing timing patterns (e.g., bursts, jitter, periodicity) in non-LI network traffic.

1. The tester has access to all network interfaces on the network function that contains the POI.

2. The tester has LI privileges and can activate LI on the same network function.

3. The tester has access to traffic timing statistics or packet captures from the POI-to-MDF interface and can also stimulate LI traffic.

4. An LI system is ready to provision IRI and CC.

Execute the following steps:

1. Tester provisions a high-content communication session (e.g., 60 seconds of voice or data) between two non-LI involved endpoints, one of which is on the same network function as the POI.

2. The tester captures packet timing and burst intervals over a 5-minute window under no LI activity as a baseline.

3. The tester provisions an interception target on the POI in the NF under test.

4. The tester starts a communication session between the target and another party, that will cause the POI to capture and deliver LI product.

5. The tester repeats the measurements under LI-active conditions.

6. The tester applies statistical analysis (e.g., inter-packet arrival histograms, burst length variability) to both captures.

It is expected that there is no statistically distinguishable pattern (e.g., a burst every X seconds, or sudden jitter) that would indicate when LI is active.

A statistical plot or summary (e.g., variance, kurtosis of inter-arrival times) and a plain-language conclusion indicating whether LI presence could be inferred from timing anomalies.

[Editor's Note: The group has discussed tests up to here (specifically, 7, 8, 9 haven't been discussed - but 10 and further have.)]{.mark}

T-TIMING-07

Undetectability by Non-Authorized Parties.

TS 33.126 R6.6-30.

The CSP shall ensure that non-authorized personnel or processes (including automated or Artificial Intelligence based systems) that are part of the service cannot detect that interception is taking place.

References:

Asset reference: AS-LI-PRODUCT-06

Attacker reference: AT-INTERNAL-01

Ensure that internal administrators with access to MDF/LEMF transport segments cannot detect the presence of LI activity by observing timing patterns (e.g., bursts, jitter, periodicity) in non-LI network traffic.

1. The MDF and LEMF are logically separate components on the network.

2. The LI product transport between MDF and LEMF is observable at a transport layer (e.g., netflow, mirrored span port).

3. The tester has access to traffic timing statistics or packet captures from the MDF-to-LEMF interface.

4. An LI system is ready to provision IRI and CC.

Execute the following steps:

1. The tester captures packet timing and burst intervals between MDF and LEMF over a 5-minute window under no LI activity.

2. The tester provisions a new target for full IRI and CC.

3. The tester repeats the traffic capture under LI-active conditions.

4. The tester applies statistical analysis (e.g., inter-packet arrival histograms, burst length variability) to both captures.

It is expected that there is no statistically distinguishable pattern (e.g., a burst every X seconds, or sudden jitter) that would indicate when LI is active.

A statistical plot or summary (e.g., variance, kurtosis of inter-arrival times) and a plain-language conclusion indicating whether LI presence could be inferred from timing anomalies.

T-INTERRUPTION-07

Undetectability by Non-Authorized Parties.

TS 33.126 R6.6-30.

The CSP shall ensure that non-authorized personnel or processes (including automated or Artificial Intelligence based systems) that are part of the service cannot detect that interception is taking place.

References:

Asset reference: AS-LI-PRODUCT-06

Attacker reference: AT-INTERNAL-01

To ensure that the LI system does not exhibit differential behaviour during delivery path faults between POI and MDF, such that an internal administrator without LI privilege cannot distinguish whether LI is active based on service degradation patterns.

1. A test call generator and an LI system are available to initiate full CC/IRI on a test UE.

2. The network segment between POI and MDF is under controlled lab conditions, capable of simulating link failure (e.g., disabling an interface, simulating packet drop via tc or iptables).

3. Logging mechanisms on POI/MDF are available for correlation.

Execute the following steps:

1. Tester provisions a high-content communication session (e.g., 60 seconds of voice or data) between two non-LI involved endpoints, one of which is on the same network function as the POI.

2. At second 30 of the call, tester introduces an artificial failure on the LI product delivery path (e.g., disables interface, blocks TCP/UDP port).

3. Tester restores the path at second 45.

4. Tester monitors the communication from step 1 for:

a. Gaps

b. Jitter or misaligned timestamps

c. Recovery mechanisms triggered (e.g., buffering, retransmit)

d. Log entries on the NF

1. Tester provisions interception of a high-content session (e.g., 60 seconds, voice or data) on a separate target (not the same as the endpoint in step 1) on the same logical node.

2. Tester performs the same procedure from steps 2-4.

3. Tester compares the behaviour of the function between the two cases.

The NF is expected to behave in the same way in both cases (LI active and not active).

Packet trace timestamps, POI/MDF log excerpts, and human-readable summary of whether the system degraded gracefully or failed differently in the two cases.

T-SESSION-COUNT-09

Undetectability by Non-Authorized Parties.

TS 33.126 R6.6-30.

The CSP shall ensure that non-authorized personnel or processes (including automated or Artificial Intelligence based systems) that are part of the service cannot detect that interception is taking place.

References:

Asset reference: AS-LI-PRODUCT-06

Attacker reference: AT-INTERNAL-01

Ensure that lawful interception provisioning does not create observable differences in TLS session counts or handshake patterns that could be used to infer LI activity.

1. The network or function uses TLS for control or media transport.

2. TLS session logs, counters, or telemetry are accessible to general privileged roles.

3. LI infrastructure is in place and uses secure links.

Execute the following steps:

1. The tester initiates standard traffic sessions and records the number of TLS sessions/handshakes initiated per session from the general privileged account.

2. The tester provisions an LI target and repeats the session.

3. The tester compares the TLS session metrics between the surveilled and non-surveilled flows.

4. The tester analyses whether additional TLS handshakes (e.g., toward MDF) correlate with the surveilled session.

5. The tester checks whether handshake timing, mutual TLS behaviour, or cert exchange patterns leak interception status.

It is expected that the TLS metrics are be indistinguishable between surveilled and non-surveilled flows. LI MDF must not be visible as secondary TLS endpoints or cause measurable handshake side effects.

The tester supplies a TLS session count comparison and an interpretation of whether a general privileged observer could detect LI activity from the metrics.

[Editor's note: for the next message (TLS) cast a wider net:]{.mark}

[1. reverse direction]{.mark}

[2. X2/3]{.mark}

[3. send X1 commands on an X2/3 (or other SBI) interface]{.mark}