I have done long haul 2.4ghz wireless links before with directional antennas (60+ miles).

36K feet is 6NM vertical. I have an antenna in my car, and enough power with the car running to reach a large aircraft audience. This doesn't even take into account if I have the transmitter and a lithium ion battery in my luggage (I've travelled across the world with Pelican cases loaded with AV and IT kit; no one asks, and they've only been opened by the TSA twice).

TL;DR Unauthenticated, unencrypted radio protocols are vulnerable, that's all.

I doubt ACARS requires particularly high power on the receiver end. For VHF aircraft voice communications, a simple handheld transmitter/receiver running off a boring rechargeable battery, drawing little enough power to last all day while stil fitting in your hand, will easily reach 100 miles line of sight.

If you want to throw far (200-300 miles), it never hurts to have more watts.

abd-s works on 1080Mhz which should further improve range.

Rough back of the envelope calculations give a range of about 300nm for an aircraft at 37000ft

Your radio horizon if you're a ground attacker will be limited by your antenna height. Attacked with powerful transmitted in Class B airspace at a busy airport? You're gonna have a bad time.

Of course that's what it's for. He's attempting to get publicity to spread the word about his possible exploit. And of course it has "in real life" caveats. He tried it in a closed simulated system.

The idea here is that it is a possible exploit. Sure the media are a bunch of morons who just bounce from one headline to another, but not to treat this as a real possibility would be foolhardy. It needs to be tried in an controlled environment and mitigated if necessary (after real life testing)and feasible.