An attacker with a stolen device can extract the seed from the device. It takes less than 5 minutes and the necessary materials cost around 100$. This vulnerability affects Trezor One, Trezor T, Keepkey and all other Trezor clones. Unfortunately, this vulnerability cannot be patched and, for this reason, we decided not to give technical details about the attack to mitigate a possible exploitation in the field. However SatoshiLabs and Keepkey suggested users to either exclude physical attacks from their threat model, or to use a passphrase.
https://ledger-donjon.github.io/Unfixable-Key-Extraction-Attack-on-TrezorYet another hardware wallet issue folks, this time though, it's unpatchable. If you're using a hardware wallet, encrypt it. If you don't have a hardware wallet, use an offline generated private key/seed (aka "paper wallet"). Be your own bank. Stop trusting hardware wallet manufactures to protect your money.