There are several levels at which hardware wallets can be attacked, Bakkum explained in his presentation, which repeated points made in a company blog post from October: Attacks on the communication layer (meaning, the protocol connecting a wallet to a laptop, be it USB port, QR code or SD card, is compromised), the logic layer (malicious software is injected) and physical layer (attacker breaks open the device, attach probes and tampers with it).
