diff --git a/doc/mfc_notes.md b/doc/mfc_notes.md
index 530af9b96..a6fd1beff 100644
--- a/doc/mfc_notes.md
+++ b/doc/mfc_notes.md
@@ -43,3 +43,7 @@ The nonce is just the same for each auth with the same parameters.
 
 Vulnerable:
 1. decode card-reader trace
+
+## reader-only attack
+
+The readers have a random generator bug. With it, we can recover a key for the sector it tries to authenticate.