Random numbers are an essential input to many functions on the Internet of
Things (IoT). Common use cases of randomness range from low-level packet
transmission to advanced algorithms of artificial intelligence as well as
security and trust, which heavily rely on unpredictable random sources. In the
constrained IoT, though, unpredictable random sources are a challenging desire
due to limited resources, deterministic real-time operations, and frequent lack
of a user interface.
In this paper, we revisit the generation of randomness from the perspective
of an IoT operating system (OS) that needs to support general purpose or
crypto-secure random numbers. We analyse the potential attack surface, derive
common requirements, and discuss the potentials and shortcomings of current IoT
OSs. A systematic evaluation of current IoT hardware components and popular
software generators based on well-established test suits and on experiments for
measuring performance give rise to a set of clear recommendations on how to
build such a random subsystem and which generators to use.