Enterprise Wi-Fi access points featuring BLE (Bluetooth Low Energy) chips have become increasingly common in recent years. While these chips provide new features, they also introduce risks that create a new network attack surface. In this talk, we will demonstrate BLEEDINGBIT, two zero-day vulnerabilities in Texas Instruments' (TI) BLE chips used in Cisco, Meraki, and Aruba wireless access points, that allow an unauthenticated attacker to penetrate an enterprise network over the air. The first BLEEDINGBIT vulnerability was discovered in the BLE stack embedded on TI chips in Cisco and Meraki Wi-Fi access points. The second vulnerability was discovered in TI's OAD (over-the-air firmware download) feature used by nearly every Aruba Wi-Fi access point currently for sale. Combined, these vendors represent 80% of all wireless access points sold each year to enterprises.Using BLEEDINGBIT, an attacker first achieves RCE on the BLE chip, and then can use the BLE chip to compromise the main OS of the access point and gain full control over it. Once an access point has been compromised, an attacker can read all traffic going through the access point, distribute malware, and even move laterally between network segments.Although first discovered in wireless access points, BLEEDINGBIT vulnerabilities may exist in many types of devices and equipment used across many different industries. For example, medical centers use BLE to track the location of beacons on valuable assets like resuscitation carts. Retailers use BLE for mobile credit card readers and indoor navigation applications. A BLEEDINGBIT attack against any of these devices would come out of thin air, bypassing existing security controls, and catching these organizations unprotected.