Breaking in to Hotel Rooms
Is this how the al-Mabhouh assassins got in?
Is this how the al-Mabhouh assassins got in?
Jonas Lejon • March 1, 2010 7:53 AM
Site seems down?
djn • March 1, 2010 8:10 AM
It’s like we schneierdotted them?
theprez98 • March 1, 2010 8:18 AM
Why the big deal over this news? If the Mossad killed al-Mabhouh, good for them. Not only was he a leader within Hamas (a terrorist organization), but he is one of the co-founders of the al-Qassam Brigades, which is Hamas’ military wing. He is a terrorist, and he was (presumably) killed by a country who Hamas (by its charter) wants to wipe off the map.
HJohn • March 1, 2010 8:52 AM
@theprez98: “theprez98 at March 1, 2010 8:18 AM:
A lot of people are interested in the logistics of it. These things are fairly rare, and learning how it is carried out is somewhat fascinating.
I’ll refrain from discussing the politics of it all.
Stephen • March 1, 2010 8:57 AM
Google has a text only cache:
bickerdyke • March 1, 2010 9:11 AM
You’re right with that, but it’s still not something like a “fair trial”…
John • March 1, 2010 9:13 AM
So al-Mabhouh was not a hip froodster who knew where his towel was.
spaceman spiff • March 1, 2010 9:44 AM
Notice that it took him less than 10 seconds to get into the room. I used to drive tow trucks in the US and could get into just about any car in 10 seconds with either a Slim Jim or wire coat hanger. Bingo – your stuff (or ass) is mine!
wiredog • March 1, 2010 10:00 AM
A repo man spends his life getting into tense situations.
Billy • March 1, 2010 10:20 AM
I would easily pay 2-300 for a non-destructive device that can be fitted on to any door, and provide independant locking and opening.
$200 more if its operable wirelessly, correctly using modern cryptographically secure authenticaiton mechanisms.
It can not damage the door, or frame, or leave scratches, and hopefully would be visible from the inside only. I would use this on my office door at work, and when I travel. It is rare that I trust the holder of the master key.
So who wants to make the money?
mcb • March 1, 2010 10:45 AM
I understand these and many other useful skills are routinely taught to special operators. No reason to imagine a hotel room door would slow down the assassins.
Bruce Schneier • March 1, 2010 10:45 AM
“Why the big deal over this news?”
It’s rare that assassinations are so well documented. And the tactics are interesting to discuss.
I’m trying to keep the politics out of this.
Bruce Schneier • March 1, 2010 10:46 AM
“I understand these and many other useful skills are routinely taught to special operators. No reason to imagine a hotel room door would slow down the assassins.”
Remember that al-Mabhouh switched hotels at the last minute, or — at least — the assassins thought he would be at a different hotel until the last minute. So a lot of the details had to have been invented on the fly.
HJohn • March 1, 2010 10:52 AM
“So a lot of the details had to have been invented on the fly.”
I see it sort of like chess. One can have a great strategy planned, but the opponent doesn’t always make moves one anticipates. Good tactics are well thought out against what is known, great tactics work well against the unknowns. The same can be said on IT security as well (a good security function does well against known risks, but a great one can handle the unexpected.)
george • March 1, 2010 11:28 AM
Invented on the fly, that would explain the sending of twenty seven operators.
now someone show me a list of the individual duties of these guys, two or three to call austria, three or four to get credit cards and buy airline tickets, others to rent cars and others to drive them? I never realized how the mafia was doing cheap shoddy work
karrde • March 1, 2010 12:11 PM
Invented on the fly sounds like sloppy wording.
I would guess that the team had a toolkit for a variety of methods, and picked the tool best matched to the situation and the time-constraints.
To wit, they had some basic mechanical-lock-picking stuff, possibly a stray master-key-card in someone’s wallet, probably a small electronics kit that would make cloning/copying key-cards easier, and/or a piece of hand-held electronics capable of spoofing multiple key-card-systems.
Even more important, they had people who were practiced at using the toolkit, and who could quickly decide which piece of the toolkit was most useful for whetever hotel they were in. And they were able to switch from plan A to plan B when news came that the target had switched hotels.
Andrew • March 1, 2010 12:19 PM
Hotel rooms are inherently unsecure by design.
The only way to keep a hotel room secure is to keep a person (or two, if you’re paranoid) in it at all times.
Both housekeeping and management can get into a “locked” hotel room with trivial difficulty. Those of us with poor manual dexterity have discovered the joys of a good social engineering story and a $20 bill at the right moment.
Also, did this hotel room have a window? Free climbing is also a standard special operations skill, to the point that some traveling specwar people (who should really know better as it draws attention) have been known to dispense with keys which might identify their hotel during a night out on the town, relying instead on their drunken climbing skills to get back into their 8th floor room.
Winter • March 1, 2010 12:34 PM
Was it not said that no fortification is safe unless it is manned by determined defenders?
And who would be foolish enough to trust a hotel door lock?
Ted Major • March 1, 2010 12:45 PM
Maybe a special tool, or maybe just a piece of copper wire:
John Campbell • March 1, 2010 1:11 PM
Perhaps they didn’t so much have to make up a plan on the fly, but they had to adapt it. That makes it a “good” plan as per Patton.
The basic techniques would have to be adaptable– how many differing varieties of hotel locks are there and are the various manufacturers “well penetrated”– though, had someone in the room set those little “open the door a little way and then stop” widgets I’ve seen, it’d be far more difficult to enter the room.
Special Ops people are not “good little robots”… they are people with the full range of human faculties. Robots would have a problem coping with a sudden change… but humans are pretty good at it as long as the culture they were raised in allows latitude for initiative.
The fictional MacGuyzer could improvise all kinds of technology to carry out a specific task (even if, as televised, steps are dropped to avoid providing TMI to teen-agers) though it is adapting to circumstances that is really key.
What’s that motto? “Adapt, Improvise, Overcome”?
moo • March 1, 2010 2:20 PM
@Andrew: “The only way to keep a hotel room secure is to keep a person (or two, if you’re paranoid) in it at all times.”
And even that won’t keep them secure from potential eavesdropping. For all you know, the hotel owner has hidden cameras installed in all the ceilings and gets his hijinks from collecting camera vids of honeymooners.
Its best not to do or say anything in a hotel room that you wouldn’t want caught on camera or microphone – turning on a “secure” laptop for example. I wouldn’t leave such things unattended in the room either.
lukeg • March 1, 2010 2:21 PM
@billy – take a product from idea to physical reality and you will find that even a simple thing such as a chair costs much more to make in small batches than you are willing to pay.
tack on 2 zeroes, you might get a taker for a limited range of door hardware.
Daniel • March 1, 2010 2:46 PM
What’s really shocking (to me at least) is that I still live in a part of the USA where no one (including me) even bothers to lock their doors when they leave for days at a time.
Everyone is trying so hard to be safe and if someone wanted to kill me they would just have to crawl in through the wide open window.
HJohn • March 1, 2010 3:01 PM
@Daniel: “What’s really shocking (to me at least) is that I still live in a part of the USA where no one (including me) even bothers to lock their doors when they leave for days at a time. Everyone is trying so hard to be safe and if someone wanted to kill me they would just have to crawl in through the wide open window.
Many people don’t grasp the difference between prevention and deterence.
Most homes don’t really effectively prevent entry, they simply deter it. A locked door can’t stop a determined intruder. The deterence value lies in an intruder who doesn’t not target you specifically. The attraction of an unlocked door is that one can enter without drawing attention to themselves or arousing suspicion.
In fact, in most cases, even bars on the windows and dead bolts don’t do the trick. The door can be kicked down, or the walls can easiliy be chainsawed. However, a big gaping hole cut in the side of the house is likely to be noticed. Therefore, alternate entry points have an inherent deterring effect.
In any case, to bring this back to the hotel room topic, the door is only one way in, but it would be the preferred way. Breaking in a window would get one in, but it is not likely to go unnoticed. Likewise, the door could be knocked down, also unlikely to go unnoticed.
Always good to view more information and show how this part of the operation may have been approached.
As mentioned earlier still high probability they possibly gained entry by posing as hotel staff.
godel • March 1, 2010 4:19 PM
What amazes me is that an obvious and important target was travelling alone and unprotected.
Was he being set up by someone in his own organisation?
Clive Robinson • March 1, 2010 5:21 PM
You can make such a device yourself in a workshop with little difficulty.
It is one of the things I was indirectly refering to on the original thread.
If you look at hotel doors they are insecure by design in the lock area and the doors and frames are “standard size” this shows in the “sloppy fit” to the frame.
However they generaly have very good hinges and the doors are solid as is the frame.
This sloppy fit (often 1/4 of an inch) can be used to your advantage.
If you think of a simple sissor mechanism whereby you have two plates in X form with a hing in the middle and a turn buckle on one end.
If you close the door and have two of these X’s, you close the X flat and put one side in between the door and the frame at the top corner and the same at the bottom (due too basic hollow door construction) and then use the turnbuckle to open the X’s out they jam very solidly on their own but with a couple of holes and steel splinter style picture nails (with head removed and inserted in the door frame with a hand pin punch) a very considerable force and a lot of noise would be required to open the door.
Likewise I mentioned that a lot of things could be stopped with a towel and a chair.
You take a large bath towel and the “desk chair” you go over to the door and you drop the towel over the back of the chair and give it an extra four to six inches.
You then hold the chair and sweep it up to the door so that the back legs are ontop of the towel.
You then pull the towel tight across the back of the chair and put your heavish suit case on top of it to keep it in place.
You can augment this with a second towel or a pillow to stop fiber optic cameras, this rather clumsy do hicky etc.
With just a little practice you can make the usuall desk chair actually bite into the carpet with it’s front legs and the back legs raised a little it makes a quite effective “door wedge” and actually would take effort to dislodge and therfore noise.
You can also by “car vibration alarms” that fit eaisly with a little blue tack to both doors and windows. The audio level from these can “wake the dead”.
Likewise geting/making electricaly fired “smoke pots” is not difficult.
The point is the more noise and disturbance the better (for your safety).
Buy the way if you want to make one of these door opening do-hickies I would suggest you use “piano wire” of the same sort that are used in transmitter whip antennas for vehical mounting.
For fun just take an ordinary wire coat hanger unravel it straighten it out and have a play.
Provided the coat hanger is large enough and the lock low enough then you can practice “the feel” of using it. Oh and joining two coathangers together is not overly difficult with a pair of pliers and a bit of knowledge as to what you are about.
Clive Robinson • March 1, 2010 5:50 PM
“And even that won’t keep them secure from potential eavesdropping. For all you know, the hotel owner has hidden cameras installed in all the ceilings and gets his hijinks from collecting camera vids of honeymooners.”
Hidden video cameras are usually trivial to find if you know what you are about.
What you need is a camera phone where you have removed any “plastic” from the glass lense, one of those dinky little LED keyring flash lights, and an infared LED which you can get one from an old TV remote control (at a pinch use the remote control for the TV in the room).
You then use the principle of “lamping” which is what “cats eyes” in the road use. If the light source and the camera in the phone are very close together then the “red eye” effect will be seen on the phone display where the hidden camera lense is.
There is a similar technique using a small parobola and ultrasonic pulse generator (bat click generator/detector) which will find the diagframs of microphones.
Then there is the good old “non linear junction detector” that will find a lot of electronics including cameras and microphones unless those placing them take adiquate screaning and decoupoling precautions.
Then there is the “thermal imaging cameras” all electronics are inefficient and radiate (or absorb if a peltier) heat. Thus turning on the aircon full blast and going out of the room (or putting a coat on) will after a half hour or so bring the ambient temprature down sufficiently for a sensitive thermal imaging camera to pick up the heat signiture.
There are other methods but these tend to get most of the devices.
And often something as simple as a three inch nail with a couple of hundred turns of enamled copper wire around it connected up to an appropriate (DC) amplifier can be used to detect either the power or signal lines.
And one of those pocket “metal detectors” you see in “tech toy shops” will find quite a lot of stuff.
It realy is quite difficult to hide ordinary electronics from someone who knows what to look for and with what.
Oh and remember if you are going to use a noise source to talk quietly against don’t use the radio or TV in the room, a competant person buging the room would have used atleast two “pick up mics” and a “cancel mic” in the TV and radio to subtract from the “pick up mic” signals.
A 4 channel 24bit sound card and easily available “open source” libraries will give you all the DSP code you need (go have a look at the Linux Software Defined Radio pages if you need a pointer 😉
Clive Robinson • March 1, 2010 6:41 PM
Sorry I forgot to add,
“Its best not to do or say anything in a hotel room that you wouldn’t want caught on camera or microphone – turning on a “secure” laptop for example. I wouldn’t leave such things unattended in the room either.”
Is very sound advise to follow at all times (including after having done a sweep 😉
askme233 • March 1, 2010 9:47 PM
@Billy, Perhaps what clive was getting at, but jamming a couple of coins between the door and frame will make almost any door unopenable as it jams the hinges. It is very difficult to tell see the pennies in most cases and as the whole door jams, it is not obvious why it will not open. a fun prank also…
Bi-Coloured-Python-Rock-Snake • March 3, 2010 5:31 AM
@ Clive, regarding coat hangers: I once spent a while living in a barracks with hotel-style card locks, and the coat-hanger trick was remarkably easy. We would get in trouble if we left a pre-fashioned “master key” in the utility closet, but we usually got away with leaving a couple of hangers hidden around the place. There were several “locksmiths” in that building could fashion the hook and get a door open in about 90 seconds, and that’s without ever really practicing to do it quickly. I’m sure a purpose-built slimjim could do the trick just as fast as a key.
Clive Robinson • March 3, 2010 8:00 AM
“I once spent a while living in a barracks”
As they say “been there done that” might have been a different “there” though 😉
My lockpicking skills where known about when I was wearing the green but usually only to the “OR’s” and one or two select “Ruperts” who knew me well enough to know I was OK.
Unfortunatly I was caught out one day. Some of my (so called) “mess buddies” used to go and find locks to put on my locker. I got so used to it that I would expect to come back of an evening to find some chunky lump of iron hanging next to my lock and hearing the rustling of people outside the door watching the fun.
Well there I was one sunny afternoon not having too much luck with the latest lump of iron, when it went quiet but I did not twig as to why. Anyway I finally got the dam lump open and chucked it on the bed, turned to find the Adjutant, CO and RSM standing there watching me on a surprise inspection.
The RSM was turning that heart stopping colour of purple, and with out thinking I looked him in the eye and said, “It’s bad enough with the others playing practical jokes but you lot as well?”
Needless to say his mouth dropped at which point thankfully the Adjutant actually started to laugh quietly. The CO not sure of what was going on (you know that fish out of water look) asked me what I was doing.
I explained that my mess buddies where always finding new locks to put on my locker and taking side bets as to how long it would take me to get them off.
He said “Do you do this for entertainment?” to which I replied “No I preffer to read, but I never get the time due to the dam locks”. The Adjutant started to laugh a realy deep belly laugh (and I swear there where tears as well).
The CO looked at the Adjudant shock his head shrugged his shoulders turned and walked out with the Adjutant and RSM in tow.
I didn’t hear any more about it untill about a month later when the CO lost the key to his office one day but that as they say is another story.
P F • March 3, 2010 10:37 AM
The operation needs not use the funny stuff, there are ways to copy or make room key cards very cheaply, My quess is that someone also was on staff and simple slipped the code to the team. we used 9 digits, and it was always the same pattern, room number and the day of the week they checked in as in 009,12.25.09, remove the comma’s and periods. I think its a pretty universal system.
if not, there is enough give in the sides of door jambs to push them apart just enough to open the doors if you have a rig. I used to make a rig that had two rubber feet and a off set hinge point, walk up to a door, set the feet and then press down and the doorjamb would expand enough to let the dead bolt and latch to open. very fast and quiet. might take 5 seconds to open a door.
Gweihir • March 3, 2010 6:56 PM
What surprises me is that the attackers messed up so badly. Sure, a decade or two ago this would have been a perfect, undetectable kill. Today it is not and it is not so surprising that they were caught, given the high-profile target. It would possibly have still gone undetected with a low-profile target. Scary thought.
Anyways, have these killers gotten rusty or used procedures from a long time ago? Did they not scout the location adequately? Or were they so sure of sucess that they got sloppy and failed in what must have been one of the two primary mission objectives? At least the little wave one of the killers gave to a surveilance camera seems to suggest this.
Anywasy, this is a massive screw-up. Killing somebody is not hard. Any caveman can do it. Getting away with it is the tricky part. I think these people have just failed “Assassination 101” by reason of a beginners mistake.
Clive Robinson • March 4, 2010 3:47 AM
I’m going to play devil’s advocate here, wether you feel it is a house of cards or mirrors is up to you 😉
“What surprises me is that the attackers messed up so badly.”
1) That is an assumption we are all making, and it is only based on our opinions (if none of them are ever found etc then no they did not mess up).
“Sure, a decade or two ago this would have been a perfect, undetectable kill.”
2) Yes and it is right out of the (supposed) Mossad “play book” as written 30 odd years ago by a (supposed) Mossad defector who tried to crack down on Mossad coruption.
“Today it is not and it is not so surprising that they were caught”
3) Actually they have not been caught a set of pictures and names that did not belong to them have been published by the Dubai Police.
“given the high-profile target.”
4) Let us assume for the moment they knew due to the nature of the target that what has happened was very likley to happen publicaly or otherwise.
“It would possibly have still gone undetected with a low-profile target. Scary thought.”
Yes and people have reason to belive that the previous UK Prime Minister R.Hon Tony Blair PM, MP had Dr David Kelly “suicided” for the same reason “scooter” libby outed a CIA agent. We certainly know that the head of the UK Civil Service got politicaly involved (a down right no no) and had Dr Kelly threatand just before he gave evidence to a House of Commons Commity. So politicians are quite happy to play “wet games” of one form or another.
“Anyways, have these killers gotten rusty or used procedures from a long time ago?”
5) This is the sixty four thousand dollar question.
If you look back to (2) you might think “hang on a moment”…
Let us assume that they have not gone rusty but deliberatly used old Mossad tactics as described in the book…
It gives rise to an interesting set of posabilities (which I’ll go into later).
“Did they not scout the location adequately?”
6) It has been said that the target changed hotel unpredictably (but more on that later).
“Or were they so sure of sucess that they got sloppy”
7) You need to re think that a little bit as,
‘got sloppy’ or were ‘deliberatly sloppy’
It ties back to point (5).
“and failed in what must have been one of the two primary mission objectives?”
8) again you are making what may be an incorrect assumption.
They may well have decided as part of the mission plan to deliberatly play it this way.
“At least the little wave one of the killers gave to a surveilance camera seems to suggest this.”
9) May well have been the equivalant of an “up yours” or 1
/ 2 finger salute.
By somebody who knew perfectly well that even a full on face shot to camera was not going to do anybody any good because their planning had mitigated this (more on this later).
“Anywasy, this is a massive screw-up.”
10) That depends on your assumptions about what the game plan was.
“Killing somebody is not hard. Any caveman can do it. Getting away with it is the tricky part.”
Easiest way to do this is “drunk driving” in a “stolen car”.
11) The Police tend to belive what their perception of the facts tell them.
“I think these people have just failed “Assassination 101″ by reason of a beginners mistake.”
12) You may be making a police forensics 101 mistake.
Back to the Devil’s advocate argument,
‘The plan went without a hitch and actually worked better than expected. The target is dead and it appears to have been done to an old well published Mossad play book, thus Israel are getting the blaim as expected.’
A) The plan assumed that the death of a very important target would get more than Police forensics 101.
B) The plan was then designed around this (A) and was staged appropriatly to look like Mossad.
Appart from they “failed field craft 101” this gives rise to two basic possabilities (B.1, B.2).
So the three basic possabilities are,
B.1) It was a group trying to make it look like Mossad.
B.2) It was Mossad trying to make it look like Mossad.
B.3) Who ever they are they failed field craft 101, for one reason or another.
Thus bluff, double bluff or circumstances / ineptness (you could argue tripple bluff etc but that takes you back to B.1 or B.2 anyway).
If any of the people get positivly identified over and above matching the photos and convicted then yes it’s B.3.
C) But B.3 breakes down into another issue.
It may not have been possible to get the target without being identified.
Thus for some reason the cost of 30 field agents was considered justifiable.
Thus you have several possabilities arising,
C.1) The target had to be stopped to prevent a more serious issue.
C.2) The the death of the target was not the plan.
C.3) The death of the target was for Political not tactical reasons.
I’m going to commit the grave sin of following “Godwin’s law” for a moment as a historical point.
We know that there where several plans to take out Hitler during WWII but although some where reasonably viable (on paper) they did not go ahead.
One of the reasons stated later was that he was more use alive than dead. This had some creadence due to the German’s own military trying to kill Hitler.
So lets flip that one on it’s head.
D) Let us assume that the target is more of a capability threat than the others in his organisation or even other similar organisations, or was trying to broker some kind of deal.
Thus the target may have been planning to,
D.1) Remove those less competant than himself.
D.2) Form an aliance with another organisation.
D.3) Broker a deal with a hostile forign power.
D.4) Broker a “peace deal” which would not be in the interests of those whos organisation/nation the team came from.
I could go further but I’ll stop to let people have a think and give their two cents worth.
Gweihir • March 6, 2010 8:48 PM
@Clive Robinson: Well, of course it could be a highly effective misdirection and your arguments A/B/C are indeed plausible.
I tend to go by “Never attribute to malice that which is adequately explained by stupidity”, which in this particular situation may be wrong, but I somehow doubt it.
I would say “pretty stupid” and “intentionally looking stupid” are about equally probable. I know that this type of operation is supposedly planned and executed by people that are so far above the common skill level, that we cannot even imagine what they are doing. However, looking at reality and expecially history, massive screwups happen in that world as well and the methods used are not nearly as advanced as people believe.
And don’t forget, luck is with the fools. These people may still get away with it even if it was a screwup.
Barry Wels • March 15, 2010 3:38 AM
Just for the record: we have moved to a different server and hope there will be no longer problems with crashing websites 🙂
Kevin Gets • March 15, 2010 11:51 AM
I was more impressed with how the assassins left the door chained from the inside as they left… rather than cracking a lock to get into a hotel room.
JosephK • March 16, 2010 1:13 AM
If it was the type of rigid (not a chain) latch that swings from the door frame over a hook mounted on the door, then setting the latch is a simple matter of looping a string (tooth floss works) around the latch and pulling both sides underneath the opposite side of the door. Once the door is closed, pulling on both sides of the string will set the latch. Then pulling on one side of the string to remove it. This seems to be a common type of latch in hotel rooms.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Leave a comment