Look at Intel/AMD etc with Meltdown and Spectre and they are a huge company.
yup, i've been talking about the large attack surface and questionable authentication practices underlying hardware wallets for a while. the vulnerability seems to exploit the shared attestation (vs. authentication) problem that eric voskuil touches on
here.
the "supply chain" attack he outlines is pretty worrisome. better steer clear of 3rd party resellers on ebay, amazon, etc!
I am sure you also saw the Snowden leaks where he was talking about compromises in the shipping chain itself! e.g. opening packages in transit to compromise them.
The shear surface area of the attacks that can happen is immense - a nation state attacker or just a rogue worker at Amazon, Alibaba, DHL, UPS, FedEx or any other world-wide shipping company. A compromised component manufacturer. etc.
At least on many of them the software is open source, but the components themselves are rarely open source design and manufactured.
The "supply chain" attack can be countered if you validate the seed? I will not dump loads of coins onto any hardware wallet for a extended time in any way. I will use it for small amounts for daily ecommerce and store the rest of the coins in cold storage. The management of the coins is more important that the device or method you use to store the coins.
If you acquire the product directly from Ledger and not from Amazon or some obscure third party, you should be fine. If the seal was broken on the package, I would only use it for small amounts.