
arXiv:2607.00174v1 Announce Type: cross Abstract: We present a black-box model-stealing attack that recovers private vision-tokenizer configurations of deployed vision-language models (VLMs), including the visual patch size and input preprocessing pipeline. The key idea is a task-level side channel induced by ViT-style patchification: when a synthetic grid image is aligned with the hidden patch grid, boundary cues are erased at tokenization, causing periodic accuracy drop. By sweeping the grid cell size and measuring these collapses, we infer the patch size; by introducing padding and a consis
The proliferation of complex black-box AI models, particularly VLMs, creates inherent vulnerabilities that are only now beginning to be systematically explored and exploited for model-stealing attacks.
This development highlights a critical security vulnerability in black-box AI models, allowing the exfiltration of private architectural details, which could lead to intellectual property theft or more potent adversarial attacks.
The ability to infer private VLM configurations from deployed models changes the threat landscape, forcing developers to reconsider model hardening and the security implications of deploying proprietary architectures.
- · Malicious actors
- · Security researchers
- · AI red teams
- · AI model hardening solution providers
- · VLM developers
- · Companies deploying proprietary AI models
- · Users relying on VLM security
Increased efforts by AI developers to obfuscate or secure proprietary model architectures against black-box attacks.
A potential chilling effect on the deployment of highly valuable, proprietary AI models due to heightened IP theft risks.
New research and development in 'uninferable' AI architectures or adaptive defenses that dynamically alter model configurations.
This signal links to a primary source. Continuum Brief monitors and indexes it as part of the live intelligence stream — we do not republish source content.
Read at arXiv cs.LG