It's specifically said the router's firmware was encrypted so he couldn't read it, much less install sniffers or backdoors. About only thing it's reasonable to expect him to be able to do is disable some firewalls between internal and the public Internet. And even that is assuming their internal network was directly connected to "free, public WiFi" and city officials had password lists and locations of the nukes on unsecured shares on their desktops... which is, kinda large leap of faith. Especially since the article says they worked with him solving the problem, so they must've been all like "Oh you found an exploit to get into our secret unprotected network? Oh no, please don't use it or leave any backdoors, or we'll be in big trouble, we'll just let you secure them."
With regards to unencrypted communication over public WiFi, all he'd had to do was put a high-powered WiFi router with same SSID up. Certificates won't even be much help if the attacker is in charge of the network and can re-direct traffic via a proxy "faking" the site or just forcing TLS off. No hacking of routers required. Though if this was their public Internet gateway, likely all that'd give him would be a glimpse of the city servants Facebook chatter and pr0n searches.