Somehow I don't think the definition of "remote attack" is "disassemble the computer, attach all kinds of expensive hardware to analyze communications and firmware, hack into the firmware to retrieve the encryption keys, so only then you can use a base station emulator to trick the car into thinking your remote machine is a BMW firmware server."
The "remote attack" requires physical access, specialized skills, and intense hardware interaction. It is not something that some Romanian skript kiddie can pull off from their mom's basement.
The "disassemble the computer" part was only for the initial analysis of how the whole system works. Only one person needs to do this and can then sell the information. With the information from that one single disassembled box, it is possible to remote attack (without physical access other than standing within a couple hundred feet) any other BMW car with the same "connected drive" feature. That is (as described in the article), walk around with the cellular network emulator to trick vulnerable cars to connect to your cellular network, identify vulnerable cars via IMEI, figure out the VIN via the helpful error message the car sends out, activate remote services on the car (if not already active) via a faked message and then you can send the "open doors" command to the car. All of which can be done without physical access to the car other than standing near it, which you would need to do anyway if you want to take advantage of the open door.
So - yes, skript kiddies (or, well, any car thieves) surely can do this, since I am sure that the assembled hardware necessary together with a small instruction manual "how to open any BMW" is available on the internet somewhere.