Covert Pilot Spoofing Attack via Active Reconfigurable Intelligent Surface

The active reconfigurable intelligent surface (RIS) offers a promising solution to overcome the double-fading attenuation inherent in passive RIS-aided systems. However, this capability can be exploited by adversaries to launch potent pilot spoofing attack (PSA). In this paper, we propose a novel active RIS-aided covert PSA scheme for time-division duplex systems, where a passive eavesdropper manipulates the channel state information (CSI) estimation at the legitimate transceiver during the uplink stage and steers downlink data towards itself during the downlink stage. Crucially, without requiring perfect instantaneous CSI, a practical challenge for eavesdroppers, we maximize the average eavesdropping signal-to-noise ratio (SNR) by jointly designing the RIS reflection coefficients for both stages. To ensure covertness, we integrate an anti-energy ratio detection (ERD) mechanism that constrains the detection probability below a predefined threshold. The resulting non-convex optimization problem is solved via an efficient alternating optimization algorithm combined with penalty methods, handling the rank-1 constraints and statistical CSI uncertainties. Simulations demonstrate that the proposed scheme achieves up to 26 dB SNR gain over passive RIS-aided PSA and reduces ERD detection probability compared to traditional PSA. This work reveals the dual-edged nature of the active RIS: while enhancing security, it introduces new attack schemes demanding advanced countermeasures.