Nabu Casa, Inc. — 1 prefix (MA-L); Home Assistant smart-home hubs (OUI = brand)

Nabu Casa, Inc. holds a single MA-L block, 20:F8:3B, registered to the company's Dover, Delaware address (8 The Green, Suite 12630 — a registered-agent address common to US corporations, not an operating site). Nabu Casa is the commercial entity behind the open-source Home Assistant project: it was founded in 2018 by the Home Assistant founders, funds Home Assistant and Home Assistant OS, and channels its profits into the non-profit Open Home Foundation. The 20:F8:3B OUI surfaces on Nabu Casa's own hardware — chiefly the Home Assistant Green (an entry-level Ethernet hub manufactured with Seeed Studio) and the Home Assistant Yellow (an expandable hub with an onboard Zigbee/Thread radio and optional PoE) — alongside the Connect ZBT-2 and ZWA-2 USB radio dongles and the Voice Preview Edition. These are LAN-attached home-automation controllers that bridge Zigbee, Thread, Z-Wave, and Matter to the local network, with remote access offered through the optional Nabu Casa Cloud subscription over encrypted SniTun tunnels rather than port-forwarding. For triage, a 20:F8:3B device on a residential network is an expected Home Assistant hub; on a corporate network it is a shadow-IT signal — a personally-owned smart-home controller. The architecturally notable security history is the local-only webhook bypass (CVE-2023-41894), where the Cloud proxy collapsed the source IP to 127.0.0.1 and made local-only webhooks externally reachable, fixed in Home Assistant Core 2023.9.

IEEE assignment

1 prefix → "Nabu Casa, Inc." (20:F8:3B), registered Dover, DE, US [Confirmed] — IEEE MA-L (enrichment/registries/oui.csv line 21), https://maclookup.app/macaddress/20f83b

Registry / block size

MA-L (24-bit OUI; up to 16,777,216 addresses per block); 1 block; not present in MA-M (mam.csv) or MA-S (oui36.csv) [Confirmed] — IEEE MA-L, https://maclookup.app/macaddress/20f83b

OUI hex

20F83B (prefix 20:F8:3B:xx:xx:xx) [Confirmed] — IEEE MA-L

HQ / country

8 The Green, Suite 12630, Dover, DE 19901, US (registered-agent address; not an operating HQ) [Confirmed] — IEEE MA-L, https://maclookup.app/macaddress/20f83b

Company status

active; founded 2018 by the Home Assistant founders; funds Home Assistant + Home Assistant OS; profits go to the non-profit Open Home Foundation [Confirmed] — https://www.nabucasa.com/about/, https://www.howtogeek.com/whats-the-deal-with-nabu-casa-the-company-behind-home-assistant/

Device types

smart-home hubs / home-automation controllers; USB Zigbee/Thread/Z-Wave radio dongles; local voice hardware [Confirmed] — https://www.nabucasa.com/, https://www.home-assistant.io/green/

Notable products

Home Assistant Green (Ethernet hub, with Seeed Studio), Home Assistant Yellow (expandable hub, onboard Zigbee/Thread radio via Silicon Labs MGM210P, optional PoE), Connect ZBT-2 (Zigbee/Thread USB dongle), Connect ZWA-2 (Z-Wave USB dongle), Voice Preview Edition [Confirmed] — https://www.home-assistant.io/green/, https://www.crowdsupply.com/nabu-casa/home-assistant-yellow

Verified prefix

20:F8:3B (MA-L, "Nabu Casa, Inc.") [Confirmed] — IEEE MA-L, https://maclookup.app/macaddress/20f83b

Registration date

Unknown — IEEE publishes no assignment dates. The "13 July 2023" shown by maclookup.app is a third-party database artifact, not an IEEE-sourced fact, and is not stated here as a registration date. [Unknown] — https://standards.ieee.org/faqs/regauth/, https://maclookup.app/macaddress/20f83b

IANA reference

none — no IANA Reference applies to this OUI entry [Confirmed]

Security context

Home Assistant has several patched CVEs. The architecturally notable one is CVE-2023-41894 — the Cloud/SniTun proxy set the source IP to 127.0.0.1, making "local-only" webhooks externally reachable (fixed in HA Core 2023.9). A Cure53 audit funded by Nabu Casa surfaced critical account-takeover/clickjacking issues (CVE-2023-41895/41896/41897), also fixed in 2023.9; CVE-2020-36517 was an information leak via a hardcoded DNS resolver. Nabu Casa proactively blocked Remote UI for instances on HA Core 2021.1.4 and older. Posture is local-first with an optional encrypted cloud tunnel; a hub on a network is not itself a compromise indicator, but unpatched instances with Cloud Remote UI enabled are a known target. [Confirmed] — https://www.home-assistant.io/security/, https://nvd.nist.gov/vuln/detail/cve-2023-41894, https://www.nabucasa.com/more-info/insecure-instance/

Related vendors

Open Home Foundation (non-profit beneficiary); Seeed Studio (contract manufacturer for Green); Silicon Labs (radio module supplier for Yellow — MGM210P) [Confirmed] — https://www.howtogeek.com/whats-the-deal-with-nabu-casa-the-company-behind-home-assistant/, https://www.home-assistant.io/green/

Analyst note

A 20:F8:3B OUI = a Nabu Casa Home Assistant hub (Green or Yellow) or a related Nabu Casa device — a local Ethernet-attached smart-home controller. Routine on residential networks; a shadow-IT flag on enterprise networks. Keep HA Core current if Nabu Casa Cloud Remote UI is enabled.