MAC Control Elements (CEs) lack PDCP-layer encryption and integrity protection, rendering them vulnerable to eavesdropping and tampering in non-Logical Transport Mode (non-LTM) scenarios—thereby compromising radio resource scheduling security and user privacy. Method: This work conducts the first systematic analysis of 3GPP MAC CE attack surfaces beyond LTM, integrating protocol reverse engineering, STRIDE threat modeling, formal verification, and cross-layer correlation analysis, empirically grounded in TS 38.321 and TS 38.322. Contribution/Results: We identify five novel attack vectors and propose a lightweight, integrable MAC-layer protection framework featuring two backward-compatible defense schemes aligned with existing protocol stacks. This study fills a critical gap in MAC-layer security research; its recommendations have been preliminarily adopted by 3GPP RAN WG3, informing future standardization efforts on security enhancements.

To more effectively control and allocate network resources, MAC CE has been introduced into the network protocol, which is a type of control signaling located in the MAC layer. Since MAC CE lacks encryption and integrity protection mechanisms provided by PDCP, the control signaling carried by MAC CE is vulnerable to interception or tampering by attackers during resource scheduling and allocation. Currently, the 3GPP has analyzed the security risks of Layer 1/Layer 2 Triggered Mobility (LTM), where handover signaling sent to the UE via MAC CE by the network can lead to privacy leaks and network attacks. However, in addition to LTM, there may be other potential security vulnerabilities in other protocol procedures. Therefore, this paper explores the security threats to MAC CE and the corresponding protection mechanisms. The research is expected to support the 3GPP's study of MAC CE and be integrated with the security research of lower-layer protocols, thereby enhancing the security and reliability of the entire communication system.