It would be best to try figure out how they got in in the first place. Realistically, I see these being the main possibilities:
1. Password being too short and able to be bruteforced after capturing the auth handshake.
2. Using an encryption method which is insufficient such as WEP or WPA1 (Not common anymore but still some use it).
3. WPS Pixie dust attack (Not common anymore but still some routers are vulnerable).
4. Physically retriving the password via social engineering or some similar method.
5. Something completely different is happening and it's not that guy doing it. Routers are pretty much directly connected to the internet and so it's not impossible for someone to be remotely running exploits on it.
Don't want to make it seem like I don't trust your word on that guy being the one doing it as I don't know him, yet I do know that computer engineer ≠ hacker. They are very different fields of knowledge which require many hours of learning/practice each.
1. Password being too short and able to be bruteforced after capturing the auth handshake.
2. Using an encryption method which is insufficient such as WEP or WPA1 (Not common anymore but still some use it).
3. WPS Pixie dust attack (Not common anymore but still some routers are vulnerable).
4. Physically retriving the password via social engineering or some similar method.
5. Something completely different is happening and it's not that guy doing it. Routers are pretty much directly connected to the internet and so it's not impossible for someone to be remotely running exploits on it.
Don't want to make it seem like I don't trust your word on that guy being the one doing it as I don't know him, yet I do know that computer engineer ≠ hacker. They are very different fields of knowledge which require many hours of learning/practice each.