Citadel / Controls / WirelessNetworking

WirelessNetworking Control

What does this control check?

The WirelessNetworking control checks for saved wireless networks that use insecure or outdated encryption protocols. This includes networks using WEP, open/unencrypted networks, or older WPA versions that have known security vulnerabilities.

Important: Citadel will tell you which specific network(s) are using insecure encryption. Weak WiFi encryption is like having a conversation in a room where anyone nearby can listen in. Attackers within range of the network can intercept and read all data transmitted between your Mac and the WiFi router - including passwords, emails, messages, and any information you send or receive. They can also perform man-in-the-middle attacks, inserting themselves between you and websites to steal credentials or inject malicious content. Using insecure wireless networks exposes everything you do online to potential eavesdroppers.

Why is this important?

📡

Traffic Interception

Weak WiFi encryption allows attackers to capture and read all your network traffic, including passwords, emails, and sensitive data transmitted over the network.

🎭

Man-in-the-Middle Attacks

Insecure networks make it easy for attackers to position themselves between you and the websites you visit, stealing credentials and injecting malicious content.

🔓

Automatic Connection Risk

If saved, your Mac may automatically connect to these insecure networks without warning, exposing you to attacks whenever you're in range.

How to fix this

Removing Insecure Wireless Networks on macOS

Forget the insecure network:

  1. Click the Apple menu in the top-left corner
  2. Select System Settings (or System Preferences on older versions)
  3. Click Network (or Wi-Fi)
  4. Click Wi-Fi in the left sidebar if needed
  5. Click Advanced (or Details)
  6. You'll see a list of known networks under "Preferred Networks"
  7. Find the insecure network (Citadel told you the name)
  8. Select it and click the (minus) button to remove it
  9. Click OK to confirm
  10. Click Apply if prompted

If this is your home network:

If the insecure network is your home WiFi, you should upgrade your router's security:

  1. Access your router's admin panel (usually http://192.168.1.1 or http://192.168.0.1)
  2. Log in with your router's admin credentials
  3. Find the Wireless Security or WiFi Security settings
  4. Change the security type to WPA3 (best) or WPA2 (acceptable)
  5. Save the settings and reconnect your Mac using the updated security

Need help? Contact your internet service provider or IT support if you're unsure how to update your router settings.

⚠️ Important notes:
  • Avoid connecting to open/unencrypted public WiFi networks when possible
  • If you must use public WiFi, use a VPN to encrypt your traffic
  • WPA3 is the most secure - upgrade your home router if it only supports WPA2 or older
  • WEP encryption is completely broken and provides no real security
  • After forgetting a network, your Mac won't automatically reconnect to it

Verifying the fix

After removing the insecure network, Citadel will automatically verify this control during its next check.

To verify the insecure network is removed:

  1. Open System SettingsNetworkWi-Fi
  2. Click Advanced (or Details)
  3. Review the list of Preferred Networks
  4. The insecure network should no longer appear in the list
  5. If you're currently connected to it, you should disconnect and connect to a secure network

What's secure? Look for networks showing "WPA2" or "WPA3" security. Avoid networks showing "WEP", "Open", or "None".