On-chip bus implementations must be bug-free and secure to provide the functionality and performance required by modern system-on-a-chip (SoC) designs. Regardless of the specific topology and protocol, bus behavior is never fully specified, meaning there exist cycles/conditions where some bus signals are irrelevant, and ignored by the verification effort. We highlight the susceptibility of current bus implementations to Hardware Trojans hiding in this partially specified behavior, and present a model for creating a covert Trojan communication channel between SoC components for any bus topology and protocol. By only altering existing bus signals during the period where their behaviors are unspecified, the Trojan channel is very difficult to detect. We give Trojan channel circuitry specifics for AMBA AXI4 and advanced peripheral bus (APB), then create a simple system comprised of several master and slave units connected by an AXI4-Lite interconnect to quantify the overhead of the Trojan channel and illustrate the ability of our Trojans to evade a suite of protocol compliance checking assertions from ARM. We also create an SoC design running a multiuser Linux OS to demonstrate how a Trojan communication channel can allow an unprivileged user access to root-user data. We then outline several detection strategies for this class of Hardware Trojan.