The story relates to injecting false CAN bus messages (as used by Garmin, Dynon etc) into the EFIS. And it's a beatup.
A key principle in cyber security is that if you have unsupervised physical access to a target system, you effectively own it. Same applies here.
If you have ill intentions and you have unsupervised physical access to a light aircraft, there is an infinite number of awful things you could do. Doesn't matter whether that aircraft is a Tiger Moth, or an RV filled with the latest electronic toys.