This work identifies, for the first time, a critical security vulnerability in the model selection phase of Machine Learning as a Service (MLaaS), introducing “Model Selection Hijacking”—an adversarial attack paradigm wherein adversaries poison selection data to mislead service providers into selecting suboptimal models. The attack requires no prior knowledge of target models or selection criteria and employs a Variational Autoencoder (VAE)-based framework to generate adversarial selection data, enabling cross-task and cross-modal (CV and speech) transferability. Experiments demonstrate an average attack success rate of 75.42%; hijacked models suffer an 88.30% degradation in generalization performance, an 83.33% increase in inference latency, and up to a 105.85% surge in energy consumption. This study is the first to systematically expose model selection as a previously overlooked security blind spot in MLaaS, providing both theoretical insights and empirical evidence to inform trustworthy MLaaS deployment.

Model selection is a fundamental task in Machine Learning~(ML), focusing on selecting the most suitable model from a pool of candidates by evaluating their performance on specific metrics. This process ensures optimal performance, computational efficiency, and adaptability to diverse tasks and environments. Despite its critical role, its security from the perspective of adversarial ML remains unexplored. This risk is heightened in the Machine-Learning-as-a-Service model, where users delegate the training phase and the model selection process to third-party providers, supplying data and training strategies. Therefore, attacks on model selection could harm both the user and the provider, undermining model performance and driving up operational costs. In this work, we present MOSHI (MOdel Selection HIjacking adversarial attack), the first adversarial attack specifically targeting model selection. Our novel approach manipulates model selection data to favor the adversary, even without prior knowledge of the system. Utilizing a framework based on Variational Auto Encoders, we provide evidence that an attacker can induce inefficiencies in ML deployment. We test our attack on diverse computer vision and speech recognition benchmark tasks and different settings, obtaining an average attack success rate of 75.42%. In particular, our attack causes an average 88.30% decrease in generalization capabilities, an 83.33% increase in latency, and an increase of up to 105.85% in energy consumption. These results highlight the significant vulnerabilities in model selection processes and their potential impact on real-world applications.