Assasination and hotel door security

I am reading up on the assassination of Hamas leader Mahmoud al-Mabhouh with red cones. Never ever have so many operational details come out about missions like this. Twenty years ago this would have gone on file as a ‘highly suspicious death’, but in this day and age of CCTV camera’s it did not go unnoticed. What is special this time is that a (must see) video just was released by Dubai police, and it looks like a hollywood production. The link to this blog? … since the murder took place in a hotel, I was immediately interested to read details on how they gained entry. And there still are some things unclear about it, even though this article speaks about “They entered the room using copies of keys they had somehow acquired.”

electronic hotel locks with a mechanical override

This could point to the fact a lot of electronic hotel door locks have a mechanical override. Most of the time there is a mechanical lock mounted under the handle of the door that can be opened with a master key. In some cases the lock is even hidden under a sticker or label, but in most hotels I visited there is a lock present in case the electronic lock fails (in some countries it is not legal to rely only on the electronics). I know that in some hotel locks a mechanical opening is still recorded by the electronics in the lock and will end up in the log files. To get hold of the masterkey, one could rent a room in the same hotel and simply (for an intelligence agency that is) take the mechanical lock out the door, take it apart and make the master key based on the now known pin lenght. (Or if you believe the myth, ‘they’ already have done all the fieldwork and collected the mechanical master keys to all important hotels in advance anyway …)

Another way to open some hotel doors would be to simply go under the door and grab the handle from the inside using a special tool. As you can see in this video, it is not so difficult. And the tool used to go under the door is even available in a ‘government only’ version. This version can easily been taken apart into small segments but is only sold to government agents.

And I suggest a slightly modified tool like the one on the video was used for the finishing touch of the murder. To make it look like a natural death, they locked the chain on the inside of the door …

It is all a funny coincidence as the video of the tool was just shot a couple of weeks ago when Han Fey and I did a presentation at the famous IT-Defense security congress Germany. It is a congress where we always meet lots of interesting people and always get a lot of invitations to give more presentations and/or workshops. We were originally invited to just do some hands on workshops and teach people the basic locksport/lockpicking skills, as well as a few simple opening techniques like shimming doors etc. But when some of the conference speakers missed their plane, we were asked to give an ‘emergency presentation’ to fill the gap. And as we do not like to give the same presentation twice, we shot some video (using a mobile phone) on the spot late at night about the door opening tool (and how to protect yourself against it) and inserted it into a compilation of existing presentations. Originally I did not intend to release the video as it shows me opening a door, but in this case I make an exception …

And for those of you who want to know more on the inner working of hotel locks, I have blogged about it before (including a video of ‘how it is made’)….

Tags: ,

28 Responses to “Assasination and hotel door security”

  1. mercurial says:

    I do not believe they necessarily had to attack the mechanical override cylinder, as many of the common hotel locks that use cards (be they infra-red, magnetic or mechanical) are mostly very vulnerable to bypass.

    Marc Tobias outlines these vulnerabilities in LSS, (just for a start, see pp 440, 705, 730, 797, 781 in the 2000 hardcopy edition) he has developed and patented simple decoders for a lot of these locks. Pressure sensitive materials, Hall effect and other sensors for magnetic locks, simple reading of the lock, infrared decoders and the like often allow the creation of a masterkey to the card part of the lock with little effort – I guess it all comes down to what specific locks were used at the hotel in Dubai.

    If the cleaning staff at the hotel use the mechanical cylinder, then capturing a photograph of the key would be simple (eg one concealed camera, pointed at the cylinder on any hotel room door).

    Maybe the choice of attack of the mechanical cylinder, vs the card lock came down to what will leave the least forensic evidence?

    As for re-locking a doorchain, a stick with an elastic band can accomplish that, without a ‘under the door’ tool.

    Those ‘under the door’ tools, and ‘letterbox tools’ (for countries where it is common to have a letterbox slot for mail in the door) seem to be overlooked quite often when considering the security of a premesis. I know that often the fire safety regulations require that doors be openable from the inside, by any person, in the case of an emergency do make it much harder to eliminate this kind of attack – even some of the more advanced emergency door openers would be vulnerable to attacks based on the ‘under the door’ principle.

  2. mercurial says:

    Also – when using a towel to protect against ‘under the door’ tools, would it not be possible to simply first snare the towel(the tool shown should do it, otherwise add a fishing), pull it free, and then open the door as normal?

  3. mercurial says:

    ‘otherwise add a fishing’ should say ‘otherwise add a fishing hook’

  4. mercurial says:

    Ouch…. four posts in a row. My apologies.
    The first link in your post to the UK Times Online article is broken. The format of the link seems correct, maybe the article got pulled?

  5. Cybergibbons says:

    In the video on Gulf News, they show an excerpt from a VingCard log with the location as LockLink which is their handheld programmer for card based locks. VingCard used to mean punched hole access cards, but they’ve moved onto mag stripe and RFID (and probably some contact cards as well). There’s a series of 4 or 5 contacts in the back of the card slot which allow the device to be queried and reprogrammed using a PocketPC device.

    Not all of them have a mechanical override either. But the ones that don’t will have a master card key.

  6. elphreaker says:

    Well, the biggest vulnerability I experienced was in a student residence of a group of friends of mine, amateur lockpickers,and locksmiths when I showed them how easy it was to get the master key of the building:

    I thought I could just ask for a key to open my bedroom with the excuse of leaving my keys inside, but it was a lot easier:
    We went down the lift with a security guard that was carrying a MASSIVE bunch of keys, I said (as in a James Bond movie) “Thats a big keyring!” whilst taking the load of keys off his hands, I went checking key by key as the lift went down until I saw one called “Grand master”, looked a the 5 digit code (that wasn’t even encrypted, it was the actual bitting), pulled out my phone and dialed the number.

    When I left the lift I asked my friend, “You realized how I got the master key huh?”, none of the group had even realized that I was doing something related with the master key.

    Thats how sad things can get with mechanical locks, what shocked me even more was that the master keying was absolutelly random, the master combination was lower than my friends room key…

  7. mercurial says:

    elphreaker – wow! that is a heap of really messed up security at that student residence!

    There is no underestimating what human stupidity, coupled with a bit of social engineering can accomplish. Massive investments in security devices can become almost useless when the ‘human factor’ comes into play.

    That said, NO security guard should ever allow their keys to be handled like that (these days, just having a key visible can lead to it being photographed and copied – as blackbag readers will be well aware!). I’m not saying it didn’t happen, but that was one very careless security guard!

    For the direct code for the grandmaster key, in a student residence building that is large enough to need a lift, to be stamped on the key bow, on a key that is coined/stamped “Grand Master” strikes me as quite strange – even with some of the shoddy locksmiths out there, the locksmiths who are capable of implementing a masterkeying system for such a building aren’t likely to stamp direct key codes on any of the keys in the system. I am not saying you made this up, but this is very unusual.

    I would also have thought that a good locksmith would’ve ensured that at least ONE space on the masterkey’s bitting is higher than that of any change key in the system(to prevent a change key being filed down into a master), but I have seen instances where this has not been the case.

    Do you remember what keyway this building used? – I would’ve thought it would’ve been a somewhat restricted key profile, making it (somewhat) difficult to get a key cut to code?

  8. elphreaker says:

    Well I’ll give you some details:
    The locks fitted were Tesa T5′s a very very very common lock in Spain, what happens here is that on one hand, Tesa, as Kaba, prepares locks with any kind of specifications to some locksmiths, the locksmiths send the lock plan, with all the codes, keys needed and the inside pinning of locks, and they will send the keys. Tesa marks, or marked, every single key they make with their machinery, and these T5′s aren’t encrypted, Ill post some photos when I get home.

    In a bunch of 20 keys you need to put tags on each key so you know where it comes from, even with a color code it would be insane. And you cant expect from a security guard to know that an innocent, and comprehensive gesture of a client saying “You are carrying a massive keyring!” Could have any bad consequences.

    The keyway Is totally common, ANYONE can buy key blanks, I’m not a locksmith but I have some friends that supply me with them, anyhow I used to buy those keys for 40cents a blank.

    Here (in Spain) its somewhat like some 3rd world countries (in the locks and security field), some have master plans with Kaba experTs, and others have 10€ locks master key systems.

    Its gob-smacking when you see some banks with Kaba, Keso, or MulTlock (yes, I know, they sold them expensive poop), and others with “CVL’s”, the crappiest locks besides Chinese, Spanish made, the upper and lower pins have a bevel to handle the enormous tolerances of these locks.

  9. mercurial says:

    Thanks for the clarification.
    I know the Tessa T5 – simple 5 pin cylinder.

    I’m totally unfamiliar with lock deployment in Spain. I stand by what I said in my post above, with respect to how most buildings like that would be secured, but I totally accept the situtation there in Spain is totally different to the countries I have experienced.

    That security guard in the lift has got to lift his game, but it is the direct code stamped on the master key is what really makes me cringe.

  10. mercurial says:

    When I first tried to read the TimesOnline article (first link in this blog post), the article was gone – just a 404 not found error.

    The link now works, and mentions that “..no security camera covered the door to al-Mabhouh’s room and there is no footage of how the team gained entry… Hotel records show that at 8pm an attempt was made to re-programme the lock to his door..”

    If this UK Times Online article is to be believed, the lock to the victim’s room was interfered with electronically. So it would seem that it is the electronic/card part of the lock that was attacked.

  11. elphreaker says:

    Here you are guys, a key of the place I’m talking about, sorry for the crappy quality, using laptop webcam.
    http://www.elphreaker.com/wp-content/uploads/2010/02/Imagen-004.jpg

  12. jos weyers says:

    @picture:
    the biting looks to be the exact opposite of the code stamped on the key.
    9 -> 1
    8 -> 2
    …..
    4 -> 6

  13. elphreaker says:

    Exactly, well, it all depends on the reference you use… ;)

  14. David Mudkips says:

    The Dubai report said that the door was locked and barred from the inside.

    The locked part is pretty easy to understand. Every hotel door lock I’ve seen in the last decade is locked on closing, with no way to override this. Close the door — it’s locked.

    As for being “barred,” I presume this means the secondary lock meant to be used while the room is occupied was also engaged. I haven’t stayed in any Dubai hotels, but the vast majority of hotels I’ve been in anywhere else in the world use a tuning-fork shaped handle with a ball at the end that has to be moved horizontally to engage.

    Out of curiosity, some years ago, I decided to see if I could engage this lock from the outside (with a friend in the room!) to see if it could be done without detection.

    The solution turned out to be trivial. I tied a string to the movable (tuning fork) bar with a slip-knot, closed the door until their was only about a 1/4″ gap left open, then pulled the string to engage the bar. Once partially engaged, I pulled the release line on the slip-knot and finished closing the door.

    Worked like a charm.

  15. blah says:

    “Originally I did not intend to release the video as it shows me opening a door, but in this case I make an exception …”

    Oh how gracious of dad. But that’s the samething as withholding it. It’s you imagining that you know best and that only you know about it. Your protecting us from ourselves and saving billion dollar corporations with your FREE ‘research’ they’d rather not hear about.

    I see that pathetic mindset in computer security. It’s obnoxious and misguided but have your little ego trip. It’s only you and that old, Jewish American lawyer doing this. You get free trips to sausage fests where you whine about everything but get tried like geek rockstar for poking a piece of metal in a hole. YAWN.

  16. Jean-Claude says:

    http://shop.acculock.biz/index.php?route=product/product&keyword=vingcard&product_id=572

    Some engineer’s blue, and a file? And as said earlier, why not just impression your own door?

  17. jos weyers says:

    @blah:
    get a life.

  18. Jean-Claude says:

    I don’t think the GMK overrides the deadbolt on VC’s.

  19. elphreaker says:

    @blah
    If it actually was pathetic and worthless you wouldn’t comment, get a life mate.

  20. Aviatrix says:

    blah, I read it more as “because it shows me opening a door,” that is that he didn’t want to post video of himself doing something that would be frowned on, perhaps a personal policy, as opposed to attempting security by obscurity.

  21. John Stag says:

    If the locks were like the ones in the photo then wouldn’t a simple bump key do the trick?

  22. Schuyler says:

    Blah sounds a bit familiar…

  23. I find this odd. First time I saw the tool you suggest that unlocked the hotel door was in college (2004). A guy went around breaking into rooms with that.

    My school’s response was to turn the inside handles vertical and down. Made that tool ineffective and really didn’t annoy anyone. Most people did wonder why the inside handle was vertical.

  24. @ Schuyler: “i wan GENERICODE for AUDI, must have 2 legs 2 arms to have to steel” :P

  25. [...] When we entered our hotel room I was thrilled to see it had a chain on the inside … (see my previous post on hotel doors to read why). The chain is a weak link by itself as it was obvious if had been [...]

  26. Jean-Claude says:

    Barry: read up on a styrofoam cup, raw brass, and impressioning. Wow.

  27. Jean-Claude says:

    And no, you don’t need ownership of the key.

  28. It is wonderful security step taken by this hotel that there is no need of ownership of the key.

Leave a Reply