You would need to be specific about which one of the linked documents you meant, there were several. All the hacking attempts started off with a manufacturer's programmer and worked back from there. In the example using a software radio, the researchers were able to replay sniffed commands to the device after it had been activated by the programmer.
Which of the reports talked about a device being compromised without using a manufacturers programmer?
>"We implemented several active [replay] attacks using [only] the USRP and a BasicTX daughterboard to transmit on the 175 kHz band." //
Yes, they used a programmer for reverse engineering purposes but from my - admittedly brief - look at the paper it seemed they performed active attacks (page 8(A) onwards) without using the programmer.
So they previously used a programmer but the attacks were performed without one. Assumed true it seems a reasonable PoC that contradicts the essence of your statement which seemed to say all "hacks" needed a manufacturers programmer to perform.
Someone has linked a PDF of an "ICD study" upthread that shows your contention to be at least partially false.