IoT PHYSICAL SECURIRTY

Physical and hardware security

Many IoT deployments will be in remote and isolated areas leaving sensors and
edge routers vulnerable to physical attack. Additionally, the hardware itself needs
modern protection mechanisms common in processors and the circuitry of mobile
devices and personal electronics.
RoT
The first layer of hardware security is the establishment of a RoT. The RoT is a
hardware-validated boot process that ensures the first executable opcode starts from
an immutable source. This is the anchor of the boot process that subsequently plays
a role in bootstrapping the rest of the system from BIOS to the OS to the application.
An RoT is a baseline defense against a rootkit.
Each phase validates the next phase in the boot process and builds a Chain of Trust.
An RoT can have different starting methods such as:
• Boot from ROM or nonwritable memory to store the image and root key
• One-time programmable memory using fuse bits for root key storage
• Boot from a protected memory region that loads code into a protected
memory store
An RoT also needs to validate each new phase of boot. Each phase of boot maintains
a set of cryptographically signed keys that are used to verify the next phase of boot:
Figure 2: Establishing a RoT. Here is a five-phase boot building up a Chain of Trust and starting with a
boot loader in immutable read-only memory. Each phase maintains a public key that is used to verify the
authenticity of the next component loaded.
[ 528 ]
Chapter 13
Processors that support an RoT are architecturally unique. Intel and ARM support
the following:
• ARM TrustZone: ARM sells a security silicon IP block for SOC
manufacturers that provides a hardware RoT as well as other security
services. TrustZone divides hardware into secure and non-secure "worlds."
TrustZone is a separated microprocessor from the non-secure core. It runs a
Trusted OS specially designed for security that has a well-defined interface
to the non-secure world. Protected assets and functions reside in the trusted
core and should be lightweight by design. The switching between worlds
is done through hardware context switching, eliminating the need for
secure monitor software. Other uses for TrustZone are to manage system
keys, credit card transactions, and digital rights management. TrustZone is
available for A "application" and M "microcontroller" CPUs. This form of
secure CPU, Trusted OS, and RoT is called a trusted execution environment
(TEE).
• Intel Boot Guard: This is a hardware-based mechanism that provides a
verified boot that cryptographically verifies the initial boot block or uses a
measuring process for validation. Boot Guard requires a manufacturer to
generate a 2048-bit key for verifying the initial block. The key is split into a
private and public portion. The public key is imprinted by programmatically
"blowing" fuse-bits during manufacturing. These are immutable one-time
fuses. The private portion generates the signature of the subsequently
verified portion of the boot phase.
Key management and trusted platform
modules
Public and private keys are critical to ensuring a secure system. The keys themselves
need proper management to ensure their safety. There are hardware standards
for key security and one particularly popular mechanism is the Trusted Platform
Module (TPM). The specification for TPM was written by the Trusted Computing
Printed using Save ChatGPT as PDF, powered by PDFCrowd HTML to PDF API. 1/9
 Group and is an ISO and IEC standard. The current specification is TPM 2.0
released in September of 2016. Computer assets sold to the DoD require TPM 1.2.
A TPM is a discrete hardware component with a secret RSA key burned into the
device at manufacturing.
Generally, a TPM is used to hold, secure, and manage other keys for services such
as disk encryption, RoT booting, verifying the authenticity of hardware (as well as
software), and password management.
[ 529 ]
IoT and Edge Security
A TPM can create a hash of a litany of software and hardware in a "known
good" configuration that can be used to verify tampering at runtime. Additional
services include assisting in SHA-1 and SHA-256 hashing, AES encryption blocks,
asymmetric encryption, and random number generation. Several vendors produce
TPM devices such as Broadcom, Nation Semiconductor, and Texas Instruments.
Processor and memory space
We have already discussed various exploits and processor technologies that act
as countermeasures. Two predominant technologies to look for in CPU and OS
facilities include non-execution memory and address space layout randomization.
Both types of technologies are meant to burden or prevent buffer-overflow and
stack-overrun types of malware injection:
• Non-execution protection (or executable space protection): This is a facility
enabled by the hardware used by the OS to mark areas of memory as non
executable. The intent is to map only areas where verified and legitimate
code resides to be the only regions of addressable memory that can execute
an operation. If an attempt is made to implant malware through a stack
overflow type of attack, the stack will be marked as non-executing and an
attempt to force the instruction pointer to execute there would result in a
machine exception.
Non-executable memory uses an NX bit as a means to map the region as
non-executable (through the translation lookaside buffer). Intel uses the
Execute Disable (XD) Bit, and ARM uses an Execute Never (XN) Bit. Most
operating systems, such as Linux, Windows, and several RTOSes, support
such features.
• Address space layout randomization (ASLR): While more of an OS
treatment of virtual memory space than a hardware feature, it is important
to consider ASLR. This type of countermeasure targets buffer-overflow
as well as return-to-libc attacks. These attacks are based on an attacker
understanding the layout of memory and forcing calls to certain benign code
and libraries. Calling these libraries becomes particularly laborious if the
memory space is randomized on each boot. Linux provides the ASLR ability
using the PAX and Exec Shield patches. Microsoft provides protection for
heap, stack, and process blocks as well.
Storage security
Often, IoT devices will have persistent storage at the edge node or on a router/
gateway. Intelligent fog nodes will require persistent storage of some kind as well.
[ 530 ]
Chapter 13
The security of data on the device is imperative to prevent malicious malware from
being deployed and to protect the data in the event the IoT device is stolen. Most
mass storage devices, such as flash modules and rotating disks, have models with
encryption and security technology.
The FIPS 140-2 (Federal Information Processing Standard) is
a government regulation detailing encryption and security
requirements for IT devices that manage or store sensitive data. It
not only specifies technical requirements but also defines policies
and procedures. FIPS 140-2 has several levels of compliance:
• Level 1: Software-only encryption. Limited security.
• Level 2: Role-based authentication is necessary. Requires
the ability to detect physical tampering using

Printed using Save ChatGPT as PDF, powered by PDFCrowd HTML to PDF API. 2/9
 tamper-evident seals.
• Level 3: Includes physical tamper resistance. If the device
is tampered with, it will erase critical security parameters.
Includes cryptographic protection and key management.
Includes identity-based authentication.
• Level 4: Advanced tamper protection for products designed
to work in physically unprotected environments.
In addition to encryption, it is also necessary to consider the security of media
when it's decommissioned or disposed of. It is fairly easy to retrieve contents from
old storage systems. There are additional standards on how to wipe and erase
content securely from media (whether it's a magnetically based disk or a phase
change flash component). NIST also publishes documents on securely erasing
and wiping content such as the NIST Special Publication 800-88 for Secure Erase.
Physical security
Tamper resistance and physical security are particularly important for IoT devices.
In many scenarios, an IoT device will be remote and without the safeguards of on
premises devices. This is analogous to the Enigma machine of World War Two.
Retrieving a working machine from the German submarine U-110 helped break
the cipher. An attacker with access to the IoT device can use whatever tools are at
their leisure to crack the system, as we saw with the Chain Reaction exploit.
Side-channel attacks, as shown, deal with power analysis; other forms are timing
attacks, cache attacks, electromagnetic field emissions, and scan-chain attacks.
The common theme of a side-channel attack is the compromised unit is essentially
a device under test (DUT). This means the device will be observed and measured
in a controlled environment.
[ 531 ]
IoT and Edge Security
Additionally, techniques like differential power analysis (DPA) use statistical
analysis approaches to look for the correlations of random input to output. The
statistical analysis only works if the system behaves identically from run to run with
the same input:
Methodology
Timing attacks
Simple power
analysis (SPA)
Differential
power analysis
(DPA)
Attempts to exploit small differences in the timing of algorithms. For
example, measuring the timing of a password decoding algorithm and
observing early exits from the routine. Attackers also can observe cache
utilization to witness the characteristics of the algorithm.
Similar to a timing attack but measures large changes in dynamic
power or current due to the behavior of an algorithm and opcodes.
Public keys are particularly susceptible. The analysis needs few traces
to work, but the traces need a high degree of precision. As most
cryptographic algorithms are mathematically intensive, different
opcodes will show up as different power signatures in a trace.
Measures dynamic power but can observe changes that are too small
to be observed directly as in SPA. By injecting random input (such
as different random keys) into a system, the attacker can perform
thousands of traces to build a data-dependent set. Attacking an AES
algorithm, for example, simply means building two sets of traces
depending on the value of the bit (0 or 1) being cracked. The sets are
averaged, and the difference between the 0 and 1 set is plotted to show
the effect of the random input to the output.
Methods of prevention are well known, and several can be licensed and used in a
variety of hardware. Countermeasures for these types of attacks include:
• Modify the encryption function to minimize the use of the key. Use a short

Printed using Save ChatGPT as PDF, powered by PDFCrowd HTML to PDF API. 3/9
 lived session key based on a hash of the actual key.
• For timing attacks, randomly insert functions that will not perturb the
original algorithm. Use different random opcodes to create a large work
function for the attacks.
• Remove conditional branches that depend on the key.
[ 532 ]
Chapter 13
• For power attacks, decrease leakage at every opportunity and limit the
number of operations per key. This reduces the attacker working set.
• Induce noise into power lines. Use variable timing operations or skew
clocks. Change the order of independent operations. This reduces
correlation factors around the S-Box calculation.
Other hardware considerations include:
• Prevent access to debug ports and channels. Often these
are exposed on the PCA as serial ports and JTAG ports.
Headers should be removed and fuse bits blown to prevent
debug access in the most hardened cases.
• ASICs typically use ball grid array (BGA) pads to attach
to a PCA. High- performance adhesives and thermally
resistant glue should be used to surround the package and
may cause irreparable damage if tampered with.
Explain the physical and Hardware security of Iot EDge Devices in detial from above text and also ur own info

Physical and hardware security for IoT edge devices is essential due to their deployment in remote, often unprotected
areas, leaving them susceptible to various forms of attack. This security layer includes methods to safeguard both the
physical device and its hardware components, ensuring the device functions securely despite potential risks.

1. Physical Security of IoT Edge Devices

Tamper Resistance: IoT devices in remote areas can be physically tampered with, exposing them to unauthorized
access. To mitigate this, tamper-resistant designs use enclosures, locks, or seals that indicate if the device has been
opened or manipulated. For high-risk environments, tamper-evident seals or casings may be used to make
unauthorized access immediately apparent.

Protection Against Side-Channel Attacks: IoT devices are also vulnerable to side-channel attacks, which exploit
power consumption, electromagnetic emissions, timing, or cache usage to infer sensitive information. For instance,
differential power analysis (DPA) and timing attacks measure variations in power usage or algorithm processing
time to extract cryptographic keys or other sensitive data. Countermeasures include:
Reducing leakage by minimizing the number of operations dependent on sensitive information.
Inducing noise on power lines to obscure patterns.
Randomizing execution paths or timing operations to prevent consistent behavior patterns.
Prevention of Debug Port Access: Debugging ports, such as serial and JTAG ports, can expose sensitive system
functions if accessed by an attacker. For secure IoT devices, these ports are often physically disabled after
manufacturing. Blowing fuse bits, which permanently disable these ports, or using adhesives around connections,
ensures that any attempt to tamper with them will be evident.

2. Hardware Security Components

2.1 Root of Trust (RoT)

The Root of Trust (RoT) is the foundation of secure boot processes for IoT edge devices, where a hardware-based,
immutable boot process starts from a secure source. This initial trusted environment creates a "Chain of Trust" through
the boot sequence:

Booting from Immutable Memory: The RoT may use ROM or one-time programmable memory (OTP), which stores
secure keys and boot images that cannot be altered after manufacture.

Printed using Save ChatGPT as PDF, powered by PDFCrowd HTML to PDF API. 4/9
 Secure Key Storage: Storing root keys in write-protected memory ensures they are not modified or replaced.
Phase Validation: Each phase of the boot process cryptographically verifies the next phase, ensuring that
unauthorized changes or malware cannot inject code. This validation process continues until the OS and application
layers are securely loaded.

Trusted Execution Environments (TEEs) like ARM’s TrustZone further enhance RoT by segregating secure processing from
the main application. TrustZone divides a processor into secure and non-secure regions, allowing secure operations such
as key management, secure payment transactions, and digital rights management to take place in a protected
environment.

2.2 Trusted Platform Module (TPM)

The Trusted Platform Module (TPM) is a dedicated hardware chip that enhances security by managing cryptographic keys
and certificates:

Key Management: The TPM securely stores and manages encryption keys used for various security functions, such
as disk encryption, system integrity verification, and secure boot.
Hashing and Encryption Services: TPMs offer additional security services like SHA-1 and SHA-256 hashing, AES
encryption, asymmetric encryption, and random number generation, which are vital for secure communications and
data storage.
Tamper Detection: In the event of tampering, TPMs can detect and erase sensitive information, such as
cryptographic keys, protecting the system from further compromise.

3. Processor and Memory Protection

Protecting the processor and memory of IoT devices against code injection attacks is critical. Key methods include:

Non-executable Memory (NX Bit): This feature prevents certain areas of memory, especially those intended to
store data, from executing code. By marking these regions as non-executable, attacks like buffer overflows are
mitigated.
Address Space Layout Randomization (ASLR): ASLR randomly arranges the memory addresses used by system
and application components during each boot, making it difficult for attackers to predict and exploit specific
memory locations.

4. Storage Security

Data stored on IoT devices in remote areas requires robust security to prevent unauthorized access or data extraction if
the device is compromised or stolen:

Encryption: Mass storage, such as flash or hard disks, often uses encryption to protect data, with standards like FIPS
140-2 providing compliance levels. These levels range from software-only encryption (Level 1) to hardware-based,
tamper-resistant designs (Level 4), which are suitable for devices in physically unprotected environments.
Data Erasure: Secure erasure methods ensure that sensitive data cannot be recovered from decommissioned
storage media. Standards like NIST’s Special Publication 800-88 outline best practices for wiping data securely,
ensuring data on reused or disposed devices is irretrievable.

Summary of Countermeasures for IoT Physical and Hardware Security

IoT edge devices require a layered approach for physical and hardware security, combining secure boot processes,
cryptographic key management, non-executable memory, address randomization, and protected storage. These
measures, implemented through hardware components like RoT, TPM, and TEE, provide the foundational defense against
both direct and side-channel attacks.

Shell security
We have examined hardware security up to this point, but the architect must also
consider network and shell security of the system. Network security is covered
in Chapter 9, Edge Routing and Networking. We will explore one area of shell

Printed using Save ChatGPT as PDF, powered by PDFCrowd HTML to PDF API. 5/9
 connectivity in this section: SSH, or secure shell.
SSH is a cryptographic network protocol used to provide services like login,
command-line control, remote access, and root access to modern operating systems.
SSH uses a secure channel over an unsecure network, employing methods such
as SHA-2 and SHA25. Additionally, authentication is performed using various
methods, such as public key exchange or simple passwords. Typically, SSH sessions
use port 22.
Although the protocol uses authentication and encryption methods, there are still
vulnerabilities:
• A preferred method is to use public key exchange when authenticating.
These are far better than password-based security.
[ 533 ]
IoT and Edge Security
• A typical attack vector is brute force username/password attempts. SSH
ports provide an easy opportunity for attacks as devices may keep the port
open and exposed on the Internet. There should never be empty passwords
on any system. Additionally, use very strong usernames and passwords,
using psuedorandom password generators.
• SSH sessions should never sit idle. It is possible for an SSH session to
terminate if there is no activity by modifying the ClientAliveInterval.
• Use another port beside port 22. Many people simply chose port 222 or 2222
for convenience. It is recommended to use an unused port far from these
easily guessed integers.

• Use two-factor authentication methods

Explain in detial about Shell Securty and the need for it tobe deplued in IOT applications from above text and in ur
own words p;s

Shell security is an essential layer in IoT security architecture, particularly when managing and controlling devices
remotely. In IoT systems, which often operate in distributed environments and are highly interconnected, shell security
protects access to command-line interfaces and critical system controls. For IoT devices, secure shell (SSH) is commonly
used to establish encrypted connections for tasks such as command-line control, login access, and root access.

The Role of SSH in IoT Security

SSH (Secure Shell) is a protocol that provides secure access to network services over an unsecured network. By encrypting
the data exchanged between client and server, SSH protects against eavesdropping, man-in-the-middle attacks, and data
tampering. SSH is particularly valuable for IoT applications because it ensures:

Encrypted Remote Access: Protects command-line and file transfer sessions from interception and unauthorized
access.
Secure Authentication: Verifies identities through methods such as public key exchange or passwords, adding
layers of security beyond traditional login methods.

However, SSH has its vulnerabilities, particularly when improperly configured, which can make IoT devices exposed to
attacks.

Why Shell Security is Crucial for IoT

IoT devices frequently operate in remote or unsecured environments, where they are vulnerable to physical and cyber-
attacks. Effective shell security, particularly via SSH, helps to:

Prevent Unauthorized Access: Secure shell protocols reduce the likelihood that unauthorized users will gain access
to IoT devices, thereby protecting the command-line interface, configuration files, and system settings.
Enable Secure Maintenance: Since IoT devices often require remote monitoring, diagnostics, and software
updates, SSH ensures these maintenance tasks are performed securely.

Printed using Save ChatGPT as PDF, powered by PDFCrowd HTML to PDF API. 6/9
 Limit Attack Surfaces: Without robust shell security, IoT devices can serve as entry points for hackers, potentially
exposing the entire network to cyber threats.

Key SSH Security Practices for IoT Applications

1. Use Public Key Authentication Instead of Passwords

Public key-based authentication is preferred over simple passwords for SSH connections. With public key
cryptography, each user generates a key pair (a public and a private key), where the private key is kept secure,
and the public key is shared with the device. This method is stronger than passwords and reduces the risk of
brute force attacks.
2. Prevent Brute Force Attacks with Strong Passwords and Access Control
IoT devices that leave SSH port 22 open and accessible to the internet are vulnerable to brute force attacks,
where attackers attempt to guess usernames and passwords. To mitigate this:
Avoid leaving SSH ports open unnecessarily.
Use complex, pseudorandomly generated passwords and usernames.
Disable empty passwords entirely to ensure that all accounts require authentication.
3. Enforce Session Timeout Policies
Idle SSH sessions can pose risks, as they leave the door open to unauthorized users who might hijack the
session if unattended. Configuring timeouts using the `ClientAliveInterval` setting forces SSH sessions to
close after a period of inactivity, reducing the risk of session hijacking.
4. Change Default SSH Port (Port 22)
By default, SSH operates over port 22, which is widely known and frequently targeted by attackers. Changing
this port to a less commonly used number can reduce unwanted attention from automated attacks. Ports such
as 222 or 2222 are often chosen for this purpose, though ideally, a random, high-numbered port should be
used to reduce predictability.
5. Implement Two-Factor Authentication (2FA)
Adding two-factor authentication (2FA) provides an extra security layer, where users must supply a second
form of identification, such as a one-time code sent to a mobile device. Even if an attacker manages to steal a
password, 2FA will prevent unauthorized access.

Benefits of Shell Security in IoT

Incorporating robust shell security in IoT systems leads to several advantages:

Enhanced Data Privacy: SSH encryption ensures that sensitive information exchanged between devices and remote
servers is kept private, which is critical for personal and enterprise IoT deployments.
Resilience Against Network Threats: Shell security mitigates many risks associated with open network channels,
preventing man-in-the-middle attacks and packet sniffing on insecure networks.
Better Device and Network Control: Shell security provides a secure way to maintain, configure, and control
devices in a distributed network, ensuring that only authorized users can access critical functions and settings.

Conclusion

Shell security, through protocols like SSH, is indispensable in IoT networks where devices are often deployed outside
traditional secure environments. By enforcing SSH best practices—such as using public key authentication, securing
access controls, changing default ports, enforcing session timeouts, and implementing two-factor authentication—IoT
applications can protect their command-line interfaces from unauthorized access and control. Robust shell security not
only safeguards individual IoT devices but also contributes to the overall security of the IoT ecosystem.

eXPLAIN CRYPTOGRAPHY -SYMMETRIC , ASSYMETRIC CRYPTOGRAPHY, CRIPTOGRAPHC HASH,PUBLIC KEY

ENCRIPTION

Printed using Save ChatGPT as PDF, powered by PDFCrowd HTML to PDF API. 7/9
Cryptography is the science of securing information through encoding, making it unreadable to anyone who does not
possess the right decryption key or method. Cryptography plays a crucial role in ensuring data integrity, confidentiality,
and authenticity in digital communications. Here’s an overview of the main types of cryptographic techniques:

1. Symmetric Cryptography (Secret Key Cryptography)

In symmetric cryptography, the same key is used to both encrypt and decrypt the data. This method is sometimes
referred to as "secret key" cryptography because both the sender and receiver must share the secret key to communicate
securely.

Process: A symmetric algorithm takes plaintext data and a secret key as inputs to produce encrypted data, or
ciphertext. The same key is then used to decrypt the ciphertext back into plaintext.
Common Algorithms: AES (Advanced Encryption Standard), DES (Data Encryption Standard), and 3DES (Triple DES).
Advantages: Fast and efficient for encrypting large amounts of data.
Disadvantages: The challenge lies in securely sharing and managing the key, especially in larger networks where
multiple parties need access to the data.
Use Cases: Symmetric cryptography is commonly used for data storage encryption, in secure tunnels like VPNs, and
in encrypted messaging apps.

2. Asymmetric Cryptography (Public Key Cryptography)

Asymmetric cryptography, also known as public-key cryptography, uses two different but mathematically related keys: a
public key and a private key.

Process:
Encryption: The public key is used to encrypt data, which can then only be decrypted with the corresponding
private key.
Decryption: The private key, which is kept secret, is used to decrypt the data encrypted with the public key.
Digital Signatures: Asymmetric cryptography can also create digital signatures by encrypting data with the
private key, which can be verified using the public key.
Common Algorithms: RSA (Rivest-Shamir-Adleman), ECC (Elliptic Curve Cryptography), and DSA (Digital Signature
Algorithm).
Advantages: Enables secure communication without the need to share a secret key beforehand, ideal for
applications where secure key exchange is difficult.
Disadvantages: Generally slower than symmetric cryptography, making it less efficient for encrypting large data
volumes.
Use Cases: Asymmetric cryptography is widely used in email encryption, SSL/TLS for secure web browsing, and in
blockchain applications to verify digital identities and transactions.

3. Cryptographic Hash Functions

A cryptographic hash function is an algorithm that takes an input (or "message") and returns a fixed-size string of bytes.
The output, known as a "hash" or "digest," is unique to each unique input and is extremely difficult to reverse.

Characteristics:
Deterministic: The same input will always produce the same hash.
Irreversible: The original input cannot be easily derived from the hash.
Fixed Length: Hashes are a fixed length, regardless of input size.
Unique: A small change in the input should produce a significantly different hash (known as the "avalanche
effect").
Common Hash Algorithms: SHA-256, SHA-1, and MD5 (although MD5 is considered insecure today).
Advantages: Efficiently verifies data integrity; even small changes in input produce a different hash.
Disadvantages: Vulnerable to certain attacks, like collision attacks, where two different inputs produce the same
hash (although this is difficult with modern hashing algorithms).
Use Cases: Hash functions are widely used in digital signatures, message integrity checks, password storage, and in
blockchain to validate transaction blocks.

4. Public Key Encryption

Printed using Save ChatGPT as PDF, powered by PDFCrowd HTML to PDF API. 8/9
Public key encryption is a specific application of asymmetric cryptography where a public key is used to encrypt data that
can only be decrypted by a corresponding private key. This approach allows secure communication even if the public key
is shared openly.

Process: A user encrypts a message using the recipient’s public key. Only the recipient, who holds the corresponding
private key, can decrypt the message.
Security: The strength of public key encryption relies on the difficulty of factoring large numbers (in RSA) or solving
complex mathematical problems (in ECC).
Advantages: Public key encryption removes the need to share a private key and enables secure key exchange.
Disadvantages: Slower than symmetric encryption, making it unsuitable for high-volume data encryption but ideal
for securing smaller pieces of data, such as session keys or digital signatures.
Use Cases: Public key encryption is fundamental in establishing secure connections in SSL/TLS for web browsers,
securing emails with PGP (Pretty Good Privacy), and in digital certificates for verifying identities online.

How These Techniques Work Together

In many security applications, symmetric, asymmetric, and hash-based cryptography work in combination for efficiency
and security. For instance:

SSL/TLS Protocol: Used for secure web browsing, it uses asymmetric cryptography for key exchange, symmetric
cryptography for data transmission, and hash functions for data integrity.
Digital Signatures: Combine hash functions to create unique message digests, which are then encrypted with a
private key for verification with a public key.
Hybrid Encryption: Asymmetric cryptography is used to securely exchange a symmetric session key, which is then
used for faster data encryption.

Each cryptographic method serves a different function in the overall security landscape, creating a layered approach that
enhances the confidentiality, integrity, and authenticity of communications and data storage.

Printed using Save ChatGPT as PDF, powered by PDFCrowd HTML to PDF API. 9/9