Lumi United Technology Co., Ltd — 2 prefixes (MA-L), brand "Aqara"

Lumi United Technology Co., Ltd is the Shenzhen-based smart-home manufacturer behind the consumer brand Aqara, founded in 2009 and registered to an address in JinQi Wisdom Valley, Nanshan District, Shenzhen, Guangdong, China. It holds two MA-L (24-bit OUI) blocks in the IEEE registry — 18:C2:3C and 54:EF:44 — both carrying the identical Nanshan registered address. The hardware behind these prefixes is unambiguously consumer IoT: Zigbee/Thread/Matter hubs, presence/motion/door-window/temperature/humidity sensors, smart locks, cameras, video doorbells, wall switches, curtain and shade controllers, lighting, and thermostats, integrating with Apple Home, Amazon Alexa, Google Home, and Samsung SmartThings. The company reports 50+ product categories, 2,200+ SKUs, and 56M+ activated devices globally as of end-2025. A security flag is warranted for asset-classification work: a June 2026 coordinated disclosure (runZero) surfaced roughly 26 security failures with 10 CVE publications, including CVE-2026-50091 (CVSS 9.1 — hardcoded crypto keys in the Aqara Home Android SDK), CVE-2026-50084 (CVSS 9.6 — cloud-API missing authorization allowing cross-account access), and an undocumented CoAP-based root-shell execution mechanism in firmware. These are cloud/app-layer issues; the OUI itself identifies a standard consumer IoT device. As with all OUIs, no IEEE registration date exists — any "date registered" attached to 18:C2:3C or 54:EF:44 by third-party tools is a database artifact, not an IEEE fact.

IEEE assignment

2 prefixes (18:C2:3C, 54:EF:44) → Lumi United Technology Co., Ltd, registered Nanshan District, Shenzhen, Guangdong, CN [Confirmed] — IEEE MA-L registry; maclookup.app/vendors/lumi-united-technology-co-ltd

Registry / block size

MA-L (24-bit OUI); two blocks. Not found in MA-M (mam.csv) or MA-S (oui36.csv) [Confirmed] — IEEE MA-L registry. NOTE: IEEE publishes NO assignment/registration date; any "2019-03-21" / "2021-10-23" dates on third-party tools are database artifacts, not IEEE facts.

Registered address

8th Floor, JinQi Wisdom Valley, No.1 TangLing Road, LinXian Ave, Taoyuan Residential District, Nanshan District, Shenzhen, Guangdong, CN 518055 [Confirmed] — IEEE MA-L registry

HQ / country

Shenzhen, China (also a New York office) [Confirmed] — aqara.com/us/about-us/brand-story; linkedin.com/company/lumi-united-technology-co-ltd

Brand

Aqara (consumer-facing brand launched 2016; Lumi United is the legal/manufacturing entity) [Confirmed] — aqara.com/us/about-us/brand-story; legalclarity.org/who-owns-aqara-lumi-united-technology-and-xiaomi

Founded

2009 [Confirmed] — aqara.com/us/about-us/brand-story

Company status

active; privately held early 2026, filed a Hong Kong Stock Exchange prospectus March 2026 (potential IPO); early Xiaomi investment but controls own patents/software/brand [Confirmed] — legalclarity.org; app.dealroom.co/companies/lumi_united_technology

Device types

IoT/smart-home — hubs, presence/motion/door-window/temperature/humidity sensors, smart locks, cameras, video doorbells, wall switches, curtain/shade controllers, lighting, thermostats. 50+ categories, 2,200+ SKUs, 56M+ activated devices (end-2025) [Confirmed] — aqara.com/us/about-us/brand-story; aqara.com/en/security-certifications

Protocols

Zigbee (primary mesh), Thread, Matter, Wi-Fi, Bluetooth; integrates Apple Home, Amazon Alexa, Google Home, Samsung SmartThings [Confirmed] — aqara.com/us/about-us/brand-story; legalclarity.org

Compliance / certifications

Australia Cyber Security (Smart Devices) Rules 2025, UK PSTI, EU Data Act (Sept 2025); Red Dot and G-Mark design awards; CSA-IOT (Connectivity Standards Alliance) member; Chinese national "Little Giant" enterprise; min. 2-year security-update commitment [Confirmed] — aqara.com/en/security-certifications; csa-iot.org/member/lumi-united-technology-co-ltd

Security note (June 2026 disclosure)

~26 security failures, 10 CVEs (runZero-coordinated). Critical: CVE-2026-50091 (CVSS 9.1 — hardcoded crypto keys in Aqara Home Android SDK liblumidevsdk.so v6.0.0, partial patch April 2026); CVE-2026-50084 (CVSS 9.6 — Aqara Cloud Production API missing authorization / CWE-862, cross-account access, chainable to account takeover); undocumented CoAP-based root-shell remote execution in firmware. Cloud/app-layer, not OUI-level. [Confirmed] — runzero.com/advisories/aqara-hardcoded-sdk-keys-cve-2026-50091; github.com/advisories/GHSA-4mvx-j4wr-wqrc; github.com/Chapoly1305/myCVEReports/blob/main/Aqara/Undocumented-Remote-Execution.md

Related

Infineon Technologies lists Lumi United as a design partner (consistent with embedded MCU/wireless-IC usage) [Confirmed] — infineon.com/cms/en/partners/design-partners/lumi-united-technology

Analyst note

An 18:C2:3C or 54:EF:44 OUI reliably identifies Aqara/Lumi United smart-home hardware. Treat such devices as IoT requiring network segmentation given the June 2026 disclosure; the vulnerabilities are cloud/app-layer, not derivable from the OUI itself.