What is the threat model against which they protect and are vulnerable?
Hardware wallets are security devices with different features and hardware, but the general concept is largely identical. A reliable device has cryptographic keys, allows you to view information on a dedicated screen and accepts secure entries through its own interface (buttons or touch screen).
In the security model of the hardware wallet, a user interacts with their untrusted host device to build a transaction by paying an amount to an address, then the transaction is sent to the hardware wallet for the assembly of the transaction, including cryptographic signatures The user is expected to verify the information displayed (that is, the amount) and recognize the transaction on their device. Each transaction needs explicit recognition on the hardware device, and the host cannot perform transactions without that approval.
This is different from the traditional software wallet model where a user interacts with an untrusted host, who by entering the encryption key for the wallet, can make any arbitrary transaction of any amount to any destination.
How much do the commonly established practices on the use of these devices improve the security of storing Bitcoin using them?
Many of the security tips given about the use of hardware wallets provide very little additional security, or only provide the illusion of security rather than really effective measures.
A security measure that is often repeated is to verify that the address in your hardware wallet matches the one you tried to send using the companion application on the host computer. This makes no sense, since the destination address is provided by the untrusted host. The address that does not match would be an indicator of absolutely nothing but a serious failure of the software by the device.
How safe are these devices to store Bitcoin?
Maximum device security is based on trust in the manufacturer, since it is extremely easy for software errors to allow complete theft or loss of funds, and for invisible backdoors to be inserted. History has shown that many of the available devices are plagued by serious code quality problems, have bad options in building the security of their hardware and, otherwise, can be an unsafe option to store funds.
The backdoors in Bitcoin transactions, specifically due to some features of EDCSA, are trivial to produce and are extremely difficult to detect, especially if they are implemented sporadically. ECDSA signatures contain a number that is generated from a supposedly random source, however, if this number is designed to contain third party values, the secret private key or other information can be filtered in addition to being valid. Modern software implementations of the use of ECDSA (deterministic generation) (5) for the nonce secret value, but this is not verifiable without using the private key for validation.
All current devices have shown serious problems with their open source ECDSA cryptography implementations, or simply have their code implementation completely closed to evade the analysis.
The Bitcoin Trezor was originally shipped with an ECDSA implementation that is based on a Python library transcribed in
c. This code was comically slow and exposed a (very large synchronization side channel attack) (6). Being physically close to the device while signing a transaction exposed enough information during runtime to expose private key material. Trezor has had a considerable amount of bootloader, time analysis, power analysis and hardware vulnerabilities.
The Ledger Nano has an amateur time error in its bootloader that allows to completely avoid security in at least the main processor that handles user input and communication. For most microcontrollers, the memory design has repeated sections and multiple positions in which the data can be accessed, the bootloader simply did not know it and allowed arbitrary changes in the sensitive security code.
The CoinKite hardware series uses micro-ecc, an abandoned "ECDSA for arduino" that contains absolutely no evidence and is vulnerable to at least one synchronization attack.
The use of a hardware wallet to store Bitcoin is not a bulletproof option, it is a considered set of security compensation that requires consideration and understanding of the threats and weaknesses of the devices.