In this letter, using a control-theoretic approach, we present a covert channel technique, enabling a compromised networked controller to leak information to an eavesdropper who has access to the measurement channel. We demonstrate that this can be achieved without establishing any additional explicit communication channels by properly altering the control logic and exploiting robust reachability arguments. Finally, a dual-mode receding horizon model predictive control strategy is used as an illustrative example to show how such an undetectable covert channel can be established.
A. Abdelwahab; W. Lucia; A. Youssef. IEEE Control Systems Letters ( Volume: 5, Issue: 4, Oct. 2021)