Nanoleaf — 2 prefixes (MA-L + MA-M)

Nanoleaf is a Toronto-based consumer smart-lighting company, founded in 2012 by University of Toronto engineering graduates Gimmy Chu, Tom Rodinger, and Christian Yan, with additional offices in Paris and Shenzhen. It holds two IEEE OUI allocations under the single organization name "Nanoleaf": one MA-M block (00:55:DA:50/28, the 28-bit assignment 0055DA5, ~1M addresses) and one MA-L block (80:8A:F7, the 24-bit assignment, ~16M addresses), both registered to the same address at 100 Front Street East, 4th Floor, Toronto, Ontario, Canada M5A 1E1. The hardware behind these prefixes is consumer IoT lighting: modular light panels (Shapes, Blocks, Lines, Elements), smart LED bulbs (the Essentials A19 line), light strips (Lightstrip), and accessory controllers. Devices connect over 2.4 GHz Wi-Fi (802.11 b/g/n), Bluetooth LE, and Thread (the IEEE 802.15.4 mesh), with Matter as the application layer over both Wi-Fi and Thread depending on product; they are controlled through the Nanoleaf app or via Alexa, Google Home, and Apple HomeKit. From an asset-classification standpoint a globally-administered Nanoleaf OUI reliably identifies a smart-lighting endpoint, which is a useful signal for IoT VLAN segmentation. The security profile is the practical caveat: Nanoleaf devices have multiple published CVEs, including two CVSS 9.8 critical issues in older firmware/app versions (CVE-2022-47758 missing TLS verification enabling RCE via DNS hijacking, fixed in firmware v7.1.3; and CVE-2022-46640 command injection in the Desktop App before v1.3.1), plus High-severity denial-of-service issues on the Lightstrip (CVE-2023-42189, CVE-2023-45955) and a 2026 unauthenticated firmware-upload flaw on Nanoleaf Lines (CVE-2026-33268, fixed in v12.3.6). Most of these are local- or adjacent-network attacks, so keeping firmware current and segmenting these devices onto an IoT VLAN is the standard mitigation. Nanoleaf runs a coordinated vulnerability-disclosure program with a dedicated security contact and PGP support.

IEEE assignment

2 prefixes → "Nanoleaf" — one MA-L (80:8A:F7) and one MA-M (assignment 0055DA5, i.e. 00:55:DA:50/28) [Confirmed] — IEEE MA-L + MA-M registries (enrichment/registries/oui.csv MA-L row; enrichment/registries/mam.csv MA-M row)

Registry / block size

MA-L (24-bit OUI, ~16M addresses) and MA-M (28-bit, ~1M addresses) [Confirmed] — IEEE registries. NOTE: IEEE's public OUI data publishes NO assignment/registration date (columns are only Registry, Assignment, Organization Name, Organization Address); any "date registered" shown on third-party tools is a database artifact, not an IEEE fact.

HQ / country

100 Front Street East, 4th Floor, Toronto, Ontario, CA M5A 1E1 (registry address; same for both blocks) [Confirmed] — IEEE registries. Corporate footprint also includes offices in Paris, France and Shenzhen, China [Confirmed] — en.wikipedia.org/wiki/Nanoleaf

Company status

active [Confirmed] — nanoleaf.me

Founded

2012, by Gimmy Chu, Tom Rodinger, and Christian Yan (University of Toronto engineering graduates) [Confirmed] — en.wikipedia.org/wiki/Nanoleaf

Device types

consumer smart LED lighting — modular light panels (Shapes, Blocks, Lines, Elements), smart bulbs (Essentials A19), light strips (Lightstrip), accessory controllers [Confirmed] — nanoleaf.me/en-US/products/

Notable products

Nanoleaf Shapes, Lines, Elements, Essentials, Lightstrip

Verified prefixes

80:8A:F7 (MA-L), 00:55:DA:50/28 (MA-M) [Confirmed] — IEEE registries / maclookup.app/vendors/nanoleaf. Third-party "date registered" values (00:55:DA:50/28 shown as 2016-02-05; 80:8A:F7 shown as 2021-01-15) are database artifacts, NOT IEEE-published registration dates. [Likely as artifacts; dates not attributable to IEEE] — maclookup.app/vendors/nanoleaf

Network protocols

Wi-Fi 2.4 GHz (802.11 b/g/n), Bluetooth LE, Thread (IEEE 802.15.4 mesh), Matter (application layer over Wi-Fi and Thread). Does NOT use Zigbee or Z-Wave. [Confirmed] — support.nanoleaf.me Matter-over-Thread article; Amazon Essentials Matter listing

Security note

multiple published CVEs — CVE-2022-47758 (CVSS 9.8, missing TLS verification, RCE via DNS hijacking, firmware ≤v7.1.1, fixed v7.1.3); CVE-2022-46640 (CVSS 9.8, command injection, Desktop App <v1.3.1); CVE-2023-42189 (CVSS 7.5, insecure permissions in Matter SDK, Lightstrip v3.5.10, DoS, shared across vendors); CVE-2023-45955 (CVSS 7.5, DoS via malformed write-binding attribute, Lightstrip v3.5.10); CVE-2026-33268 (CVSS 6.5, unauthenticated firmware-upload endpoint, Nanoleaf Lines 12.3.2, fixed v12.3.6). Most are local/adjacent-network; older firmware carries RCE potential. Nanoleaf runs a coordinated vulnerability-disclosure program with a dedicated security contact + PGP. [Confirmed] — nanoleaf.me/en-CA/about-us/product-security/, app.opencve.io (vendor=nanoleaf), sentinelone.com CVE-2026-33268

Analyst note

a globally-administered Nanoleaf OUI identifies a consumer smart-lighting endpoint — segment onto an IoT VLAN and keep firmware current given the CVE history. As with all Wi-Fi consumer gear, MAC randomization on the controlling phone is unrelated to the lighting device's own globally-administered OUI.