BlueMaho (Bluetooth Security Testing Suite) updated to v.090417

BlueMaho is GUI-shell (interface) for suite of tools for testing security of bluetooth devices. It is freeware, opensource, written on python, uses wxPyhon. It can be used for testing BT-devices for known vulnerabilities and major thing to do - testing to find unknown vulnerabilities.

Changelog for this release

  • NEW: statistics (uniq devices by day/hour, vendors, services etc)
  • NEW: handbook
  • NEW: opush abuse (prompts flood) DoS attack
  • NEW: OBEX stress tests
  • NEW: DoS in OPUSH filename for Nokia 7610, 3210, N70, N73
  • NEW: Mode 3 abuse attack: get pairing by using social engineering
  • NEW: shows times device was found in defined place
  • NEW: shows if different names were used by same bd_addr
  • NEW: shows PSM and RFCOMM channels in SDP vrowse info
  • NEW: added carwhisperer 0.2
  • NEW: using ’lightblue’ package for OBEX some operations
  • FIX: some code improvements for more usability and stability
  • CHG: rewrited for more stability
  • CHG: fontsize can be changed in config
  • CHG: add specifying of local hci device to atshell.c, psm_scan.c, rfcomm_scan.c (added timeout, scans more accuracy)
  • CHG: oui.txt is now used original format
  • CHG: greenplague removed


  • scan for devices, show advanced info, SDP records, vendor etc
  • loop scan - it can scan all time, showing you online devices
  • alerts with sound if new device found
  • on_new_device - you can specify what command should it run when it founds new device
  • it can use separate dongles - one for scanning (loop scan) and one for running tools or exploits
  • send files
  • change name, class, mode, BD_ADDR of local HCI devices
  • save results in database
  • tracking - it can show when remote device was seen first and how many times
  • position feature - it can write to database WHERE scanned device was found (you specify location by yourself)
  • test remote device for known vulnerabilities (see exploits for more details)
  • test remote device for unknown vulnerabilities (see tools for more details)
  • themes! you can customize it


  • atshell.c by Bastian Ballmann (modified attest.c by Marcel Holtmann)
  • bccmd by Marcel Holtmann
  • bdaddr.c by Marcel Holtmann
  • by smiley
  • psm_scan and rfcomm_scan from bt_audit-0.1.1 by Collin R. Mulliner
  • BSS (Bluetooth Stack Smasher) v0.8 by Pierre Betouin
  • btftp v0.1 by Marcel Holtmann
  • btobex v0.1 by Marcel Holtmann
  • greenplaque v1.5 by
  • L2CAP packetgenerator by Bastian Ballmann
  • redfang v2.50 by Ollie Whitehouse
  • ussp-push v0.10 by Davide Libenzi


  • Bluebugger v0.1 by Martin J. Muench
  • bluePIMp by Kevin Finisterre
  • BlueZ hcidump v1.29 DoS PoC by Pierre Betouin
  • helomoto by Adam Laurie
  • hidattack v0.1 by Collin R. Mulliner
  • Nokia N70 l2cap packet DoS PoC Pierre Betouin
  • Sony-Ericsson reset display PoC by Pierre Betouin

Post scriptum

Compliance Mandates

  • Vulnerability Scanner :

    PCI DSS 11.2, 6.6, SOX A13.3, GLBA 16CFR Part 314.4(c), HIPAA 164.308(a)(8), FISMA RA-5, SI-2, ISO 27001-27002 12.6, 15.2.2


Related Articles

Vulnerability Scanner