This study assesses the model extraction risk against proprietary medical imaging models under realistic black-box constraints—namely, no access to training data and severely limited query budgets. To address these constraints, we propose QueryWise, a two-stage attack framework: first, constructing a surrogate data distribution from publicly available unlabeled data; second, performing query-efficient knowledge distillation via lightweight transfer learning—without incurring additional query overhead. QueryWise innovatively integrates unsupervised data utilization with parameter-efficient adaptation. Evaluated on gallbladder cancer and COVID-19 classification tasks, it achieves >92% accuracy in the stolen model (within <3% degradation relative to the victim model) using ≤1,000 queries and only public datasets—substantially outperforming existing baselines. Our results demonstrate that state-of-the-art medical AI models remain vulnerable to practical extraction attacks even under strict data isolation, providing empirical evidence for strengthening privacy-preserving design and model robustness in clinical AI systems.

The success of deep learning in medical imaging applications has led several companies to deploy proprietary models in diagnostic workflows, offering monetized services. Even though model weights are hidden to protect the intellectual property of the service provider, these models are exposed to model stealing (MS) attacks, where adversaries can clone the model's functionality by querying it with a proxy dataset and training a thief model on the acquired predictions. While extensively studied on general vision tasks, the susceptibility of medical imaging models to MS attacks remains inadequately explored. This paper investigates the vulnerability of black-box medical imaging models to MS attacks under realistic conditions where the adversary lacks access to the victim model's training data and operates with limited query budgets. We demonstrate that adversaries can effectively execute MS attacks by using publicly available datasets. To further enhance MS capabilities with limited query budgets, we propose a two-step model stealing approach termed QueryWise. This method capitalizes on unlabeled data obtained from a proxy distribution to train the thief model without incurring additional queries. Evaluation on two medical imaging models for Gallbladder Cancer and COVID-19 classification substantiates the effectiveness of the proposed attack. The source code is available at https://github.com/rajankita/QueryWise.