Bridging the Gap: Using Wi-Fi HaLow for Unattributable Long-Range Access

TLDR: This research demonstrates how to create a covert, long-range bridge between public Wi-Fi and a remote device using 802.11ah (Wi-Fi HaLow) radio modules. By pairing an ESP32-based Wi-Fi bridge with a HaLow transceiver, an attacker can maintain persistent, unattributable internet access from miles away. Pentesters should look for these low-power, non-standard radio bridges during physical security assessments of corporate perimeters.

Public Wi-Fi is the low-hanging fruit of the physical security world. We have all seen the "free corporate Wi-Fi" trap, but the real danger isn't just the captive portal you are forced to click through. It is the ability to turn that connection into a persistent, long-range tunnel that bypasses traditional network monitoring. The recent research presented at DEF CON 2025 on the "McJump Box" technique highlights a shift in how we should think about perimeter security. It is no longer just about the Ethernet port in the lobby; it is about the tiny, low-power radio devices that can be hidden on a roof and left to run for months.

The Mechanics of the HaLow Bridge

The core of this technique relies on bridging two distinct network protocols: standard 2.4GHz Wi-Fi and 802.11ah, commonly known as Wi-Fi HaLow. HaLow operates in the sub-GHz band, which provides significantly better range and wall penetration than the 2.4GHz or 5GHz bands used by standard corporate access points.

The setup involves two primary nodes. The first node, the "bridge," is physically placed near a target Wi-Fi source, such as a public-facing access point in a coffee shop or a corporate lobby. This node connects to the target Wi-Fi and acts as a gateway. The second node, the "client," is kept by the operator. By using OpenWrt as the underlying operating system, the researcher was able to configure these devices to route traffic between the Wi-Fi interface and the HaLow radio interface.

The technical challenge here is not the routing itself, but the hardware integration. Off-the-shelf HaLow modules, such as those from Heltec, are often designed for simple IoT telemetry, not high-throughput network bridging. The researcher found that standard ESP32-based implementations often lack the necessary support for Access Point (AP) mode when paired with specific HaLow transceivers, forcing a reliance on custom firmware or specific, older library versions to maintain stability.

Integration and Hardware Hurdles

During the research, the integration of these components proved to be the most significant bottleneck. The Seeed Studio XIAO series, while compact and ideal for concealment, required precise configuration of the Espressif IoT Development Framework (ESP-IDF) to handle the serial-to-radio communication.

The most effective configuration involved using a flash chip to toggle between two modes: one where the HaLow radio communicates via serial AT commands to the ESP32, and another where the Ethernet port is bridged directly to the HaLow radio. This allows the operator to switch the device from a "configuration" state to a "bridge" state without needing physical access to the device once it is deployed.

For those looking to replicate this, the Android iperf GPS tool mentioned in the talk is an essential utility. It allows you to map the throughput of your bridge against physical location data, which is critical when you are trying to determine the effective range of your HaLow link in a dense urban environment.

Real-World Pentesting Implications

If you are conducting a physical red team engagement, you should be scanning for sub-GHz signals near the perimeter of your target. These devices are often powered by 18650 batteries and can be hidden in plain sight, such as inside a fake junction box or behind a sign. Because they operate on the 900MHz band, they are invisible to standard Wi-Fi scanners that only look for 2.4GHz or 5GHz traffic.

The impact of a successful deployment is significant. Once the bridge is established, the operator has a persistent, low-bandwidth tunnel into the target's public network. While the throughput is not enough to exfiltrate massive databases, it is more than sufficient for command-and-control (C2) traffic, DNS tunneling, or maintaining a persistent SOCKS proxy for further internal reconnaissance.

Defensive Considerations

Defending against this requires more than just strong Wi-Fi passwords. Organizations need to perform physical sweeps of their exterior perimeters, specifically looking for unauthorized radio equipment. If you are a network administrator, monitor for unusual, low-bandwidth traffic patterns originating from your public-facing Wi-Fi segments. If you see a client that stays connected for days at a time but only transmits a few kilobytes of data every hour, you might be looking at a bridge node.

Ultimately, the "McJump Box" is a reminder that the physical layer is the foundation of all security. If an attacker can bridge your network to a radio link, they have effectively moved the perimeter of your network to wherever they are standing. Keep your eyes on the roof, and do not assume that a lack of 2.4GHz signals means your perimeter is clear.