Beijing Roborock Technology Co., Ltd. — 2 prefixes (MA-L)

Roborock is a publicly listed (Shanghai STAR market, February 2020) Chinese maker of consumer IoT devices, best known for Wi-Fi-connected robotic vacuum cleaners with LiDAR navigation, RGB cameras, and cloud/app control; the line has since expanded to cordless stick vacuums and, from 2023, washing machines. Two MA-L blocks are IEEE-registered to "Beijing Roborock Technology Co., Ltd." — B0:4A:39 and 24:9E:7D — both carrying the same Haidian District, Beijing registry address. Each MA-L covers ~16.7 million addresses, so the pair spans roughly 33.6 million. Xiaomi was a founding investor, and Roborock devices ship both inside the Xiaomi smart-home ecosystem and independently under the Roborock brand — a detail that matters for asset classification, because a device's MAC OUI may resolve to Roborock while its app identity and cloud endpoint route through Xiaomi or, historically, the Tuya IoT cloud. Two security episodes are worth flagging for anyone profiling these devices: a 2021 Roborock-disclosed weakness in the insecure random-number generation used by a subset of models (S4, S5 Max, S6, S6 Pure, S6 MaxV) when negotiating channels on the Tuya cloud — affecting only devices whose IDs were prefixed ty_, fixed by firmware, no CVE assigned in the public notice — and a March 2026 Check Point Research demonstration of a remotely exploitable RCE in Roborock/Xiaomi-ecosystem vacuums (remote camera access and LiDAR floor-map exfiltration), reportedly patched before disclosure under a bug bounty. Roborock holds TÜV Rheinland (EN 303 645) and UL Diamond IoT security ratings and runs a public vulnerability-disclosure policy. As always with OUI work, IEEE publishes no registration dates; the 2020/2024 "date registered" values shown by third-party lookup tools are database artifacts, not IEEE facts.

IEEE assignment

2 prefixes (B0:4A:39, 24:9E:7D) → Beijing Roborock Technology Co., Ltd. [Confirmed] — IEEE MA-L (enrichment/registries/oui.csv)

Registry / block size

both MA-L (24-bit OUI); 2 IEEE prefixes (~33.6M addresses combined, ~16.7M each) [Confirmed] — IEEE MA-L (enrichment/registries/oui.csv). NOTE: oui.csv columns are only Registry, Assignment, Organization Name, Organization Address — IEEE publishes NO assignment/registration date; any "date registered" (e.g. maclookup.app: 2020-08-14 for B0:4A:39, 2024-04-30 for 24:9E:7D) is a third-party database artifact, not an IEEE fact.

MA-M / MA-S entries

none — zero rows for Roborock in mam.csv (MA-M) and oui36.csv (MA-S) [Confirmed] — enrichment/registries/mam.csv, enrichment/registries/oui36.csv

HQ / country

Floor 6, Building C, Kangjian Baosheng Plaza, No. 8 Heiquan Road, Haidian District, Beijing 100085, CN [Confirmed] — IEEE MA-L (enrichment/registries/oui.csv); corroborated by https://maclookup.app/vendors/beijing-roborock-technology-co-ltd

Local-language name

北京石头世纪科技有限公司 (Beijing Roborock Technology Co., Ltd.) [Confirmed] — https://en.wikipedia.org/wiki/Roborock

Company status

active; publicly listed on Shanghai STAR market since Feb 2020 (IPO ~$640M) [Confirmed] — https://en.wikipedia.org/wiki/Roborock

Founded

2014 [Confirmed] — https://en.wikipedia.org/wiki/Roborock

Device types

consumer IoT — robotic vacuum cleaners (primary), cordless stick vacuums, and washing machines (since 2023); Wi-Fi-connected smart-home appliances with LiDAR, RGB cameras, cloud/app control [Confirmed] — https://en.wikipedia.org/wiki/Roborock, https://us.roborock.com/pages/roborock-trust-center

Website

https://www.roborock.com/ (redirects to regional stores, e.g. https://us.roborock.com/) [Confirmed] — https://us.roborock.com/

Notable relationships

Xiaomi was a founding investor; devices sold both within the Xiaomi ecosystem and independently under the Roborock brand [Confirmed] — https://en.wikipedia.org/wiki/Roborock

Security context (2021 Tuya RNG)

Roborock disclosed that S4, S5 Max, S6, S6 Pure, S6 MaxV used an insecure RNG when negotiating channels on the Tuya IoT cloud, potentially exposing device info, cleaning data, maps, and settings; only devices with ty_-prefixed IDs affected (Roborock's own cloud uses rr_); fixed by firmware; no CVE in the public notice [Confirmed] — https://global.roborock.com/pages/disclosure-security-vulnerability-on-tuya-iot-cloud

Security context (2026 RCE)

Check Point Research demonstrated a remotely exploitable RCE in Roborock/Xiaomi-ecosystem vacuums (remote camera access, LiDAR map exfiltration without local-network access), published Mar 2026; reportedly patched before disclosure under responsible disclosure with a ~$30,000 bounty; no public CVE in available sources [Likely] — https://www.kunalganglani.com/blog/robot-vacuum-hack-roborock-smart-home-security-risk

Security certifications

TÜV Rheinland "IoT Security & Data Privacy Certified (EN 303 645)" and UL Diamond IoT Security Rating; claims TLS for device comms and SRTP-over-DTLS for video [Confirmed] — https://us.roborock.com/pages/roborock-trust-center

Vulnerability disclosure program

public VDP operated [Confirmed] — https://global.roborock.com/pages/roborock-vulnerability-disclosure-policy

Privacy context

privacy/data-handling practices for Chinese-made goods have drawn scrutiny (Jul 2025); company claims on-device processing for AI/vision and no cloud upload of captured images; independent audit coverage is limited [Likely] — https://www.kedglobal.com/tech,-media-telecom/newsView/ked202507030017, https://us.roborock.com/pages/roborock-trust-center

Registration date

Unknown — IEEE publishes none; third-party dates are database artifacts [Unknown] — n/a (no IEEE-sourced date exists)

Analyst note

a Roborock OUI on a globally-administered address reliably identifies genuine Roborock hardware, but ecosystem/cloud identity may route through Xiaomi or Tuya independently of the OUI; treat third-party "date registered" values as non-authoritative.