If you look at the pdf presentation he is saying that there are multiple ways to access ACARS on an aircraft if you know its address, ARINC and SITA make this a selling point. So getting ACARS messages up to the aircraft is simple.
He then uses standard hacking techniques like malformed messages, for esample an ACARS message that should have a character count instead provides a negative number or a ginormous number, he can do this because he is not trying to send ACARS messages he is trying to break the receiving software and he is not using an ACARS friendly transmission system. The computer that is running the ACARS software is _also_ the one in which a whole pile of other things run including the FMC, display processing, MCDU etc etc. So if he can make it run some exploit code by sending it a broken message that then allows him to upload some more code running at high authority, he has broken into the computer that is running around "80 - 100" of the major control applications of the aircraft.
Its all on the pdf slides.