They have most of the security of paper wallets in that they are only vulnerable to physical theft but remove the process of having to load the private key in wallet import format to some software which is exposed to online vulnerabilities.
Hardware wallets are in two parts – one connected device and one disconnected.
The connected wallet holds the public keys and performs all the functions of a standard wallet by choosing which transactions to sign. However it can’t sign it as the offline device holds the private key.
The next step is to connect the device which is usually done via a USB port – which could be insecure – or via a QR-code. With the USB method the transaction is sent to the now connected offline device signed – sent back to the wallet and then fed into the Bitcoin network and its myriad of notes for verification and inclusion in the blockchain. With the QR code method the bitcoin transaction is assembled by the online software and a QR code is generated – this is then scanned by the offline device which in turn generates a signed transaction QR code which is then scanned back into the online software and sent off to the Bitcoin network for verification.
Some devices such as Trezor require a pin. Trezor is probably one of the better known brands out there of a small subset of offline hardware wallets. With a Trezor wallet the private keys are generated on the device and never leave it – the keys are created deterministically and a seed key is generated when the device is initialised meaning that if it is lost or stolen a new device can be rebooted on command.
Another device is the ledger wallet which has some unique features through its compatability with electrum wallet and ledger wallet google chrome application. The wallet contains a microprocessor – which is the banking industry standard for securing data.