How do you know it's been separated the whole time? Did you build all the components from scratch? You don't know where they've been prior to you getting them. Even if you got everything straight from the factory manufacturer's have been caught hiding backdoors and exploits in their hardware since the 90s at least.
What about the OS you load in it. Did you build and develop it yourself? You know every line of code in it?
If it's not separated, then it's not separated.
The assumption is that the initial setup of your offline computer is reasonably secure.
Each time it communicates with the outside world there is a risk of something going wrong.
Your offline computer might be virus free, but a vulnerability means that it autoruns USB devices. If there is a virus on the USB stick that you use to transfer your transactions, then the offline computer could be compromised.
Even if you have a virus, it has to be able to get data to the outside world, or no harm is done.
Offline | | Online | | Comment | | Countermeasure |
|
Clean | | Clean | | This system is safe | | None needed |
|
Clean | | Compromised | | This allows false transactions to be sent for signing | | You must check the transaction's destination and value on the offline computer |
|
Compromised | | Clean | | This allows false transactions to be sent back from signing | | You must check the transaction's destination and value on the online computer |
|
Compromised | | Compromised | | The offline virus can just send your private keys to the online computer for forwarding to the internet | | None |
The key point is that as long as you check the transaction on both your offline and online computer, then you are safe as long as at least one of the 2 are clean.
Even if both are compromised, they have to both be compromised by viruses that cooperate with each other.
One interesting side case is where the offline computer leaks private key data over time. For example, it tries to sign a few times until it gets certain bits in the signature to match a pattern.
That is useless for generate keys but could be used to leak the master private key and chain-code.