This article talks about the security features and philosophy of Trezor. See also SatoshiLabs Security Manifesto.
Zero trust principle
The Trezor security model works on the zero trust principle. The zero trust principle says that any part of a secure system could be compromised at some point.
However, even if someone hacked Trezor Wallet, or your computer was infected, Trezor will keep your funds safe. This unique feature makes Trezor more secure than any other means of storage.
Verify and confirm
Let's suppose that you have to make a payment and you only have access to an untrusted computer. How would you verify that the payment will be sent to the right person and not to a malicious third party? An infected computer could easily lie about the transaction amount or destination.
Using the Trezor screen, you can independently verify and physically confirm every transaction directly on your device. See also Making payments.
Trezor extends the zero trust principle even on the person using the device.
To protect your funds in case somebody steals your device, Trezor requires you to enter the PIN number every time you plug it into a computer. This extra step guarantees that the person using Trezor is physically present and that it is you.
Thanks to the design of the PIN entry mechanism, the connected computer never learns your secret code. The mechanism also makes it very difficult for any person standing behind you to read what you are typing.
A single-purpose computer
Trezor is a single-purpose computer. There are no additional functions or hardware - nothing that could compromise the device in your hands and the funds in your wallet. Simple means safe.
For more information about Trezor hardware, see the relevant section of the Glossary.
Limiting the attack surface
When a computer has to deal with untrusted information, there is a risk of malware or virus infection. Trezor is no exception. To limit the attack surface, Trezor communicates through a simple USB protocol. There is no Wi-Fi or Bluetooth connection, no camera for scanning QR-codes, no fingerprint reader for identifying the user. We take all these steps because we want Trezor to be as secure as possible. The fewer devices Trezor communicates with, and the simpler the communication protocol is, the safer.
Also, Trezor has no battery. When unplugged, it is off and your coins are safe from any cyber attack.