Re: I don't get how this works without the PSK...
Having reviewed the article and the video a couple of times, I think the following is the explanation, but not being an expert, I'm open to corrections :)
The key (pun intended) is that the router vulnerability seems to allow wardriving kit to inject Handshake 3 into the network traffic to acquire the ability to decrypt traffic on a read-only basis. The hijacking of client devices is stage 2 of the process. The video does not deal with the injection of the packets necessary to get the decryption key, only the creation of a MITM attack on an Android device - the MAC address suggests a Samsung phone.
The capability to eavesdrop on a router is backed up by the following from the article:-
"Despite this, however, the ability to decrypt Wi-Fi traffic could still reveal unique device identifiers (MAC addresses) and massive amounts of metadata (websites visited, traffic timing, patterns, amount of data exchanged etc.) which may well violate the privacy of the users on the network and provide valuable intelligence to whoever's sitting in the black van.”
Ultimately, if there was no eavesdrop capability, there would be no MITM attack capability as the ability to inject encrypted packets to set up the "rogue channel" would not exist. Hence the statement at the end of the video that patching of routers is the fix.