Which threat model do they protect themselves from and are vulnerable to?
Hardware wallets are security appliances with different hardware and equipment, but the overall concept is largely identical. A trusted device has cryptographic keys, lets you view information on a dedicated screen, and accepts secure input through its own interface (buttons or touchscreen).
In the Hardware Wallet security model, a user interacts with his untrusted host device to create a transaction that pays an amount to an address. The transaction is then sent to the hardware wallet to compose the transaction, including the cryptographic signatures. The user is expected to review the displayed information (namely the amount) and confirm the transaction on his device. Each transaction must be explicitly acknowledged on the hardware device, and the host can not perform transactions without this permission.
This differs from the traditional software wallet model, where a user interacts with an untrusted host who, upon entering the wallet encryption key, can execute any transaction at any height to any destination.
To what extent do generally accepted practices for using these devices improve the safety of storing Bitcoin?
Many of the security notices for using hardware wallets offer very little additional security or merely the illusion of security rather than actual action.
A common security practice is to check that the address on your hardware exchange matches the address you wanted to send to the host computer using the companion application. This is completely meaningless since the destination address is provided by the untrusted host. The mismatched address is an indication of absolutely nothing but a fatal software error of the device.
How safe are these devices for storing Bitcoin
The ultimate security of the device relies on the manufacturer's trust, as software flaws can very easily make it possible to completely steal or lose money and insert invisible backdoors. The past has shown that many of the available devices are subject to serious code quality concerns, have poor hardware security design choices, and may otherwise be an insecure choice for the storage of funds.
Backdoors in Bitcoin transactions are easy to create and hard to detect, especially if they are sporadic, especially because of some of the capabilities of EDCSA. ECDSA signatures contain a number that is generated from a supposedly random source. However, if this number is designed to contain third-party values, it may deny the secret private key or other information and be valid at the same time. Modern software implementations of ECDSA use (deterministic generation) (5) for the secret nonce value, but this is not verifiable without using the private key for validation.
All of today's devices have had serious problems with their open source implementations of ECDSA cryptography, or their implementation has simply been run as a fully closed source to avoid analysis.
The Bitcoin Trezor was originally shipped with an ECDSA implementation based on a Python library that has been transliterated
c, This code was strangely slow, revealing a (very large timing sidechannel attack) (6). If you are physically close to the device while signing a transaction, enough information is displayed during execution time to expose private key material. The Trezor otherwise had a significant number of bootloader, timing, power analysis and hardware vulnerabilities.
The Ledger Nano has an amateur hour error in the bootloader that allows a complete bypass of security on at least the main processor processing user input and communication. In most microcontrollers, the layout of the memory has repeating sections and multiple locations where data can be accessed. The bootloader simply did not know this and allowed arbitrary changes to the security-related code.
The CoinKite hardware series uses micro-ecc, a discontinued "ECDSA for Arduino" that contains absolutely no tests and is prone to at least one timing attack.
Using a hardware wallet to store Bitcoin is not a bulletproof choice. These are a series of security compromises that must address and understand the threats and weaknesses of the equipment.