I wouldn't trust a hardware wallet either. Reason being is that exploits can still be discovered in the future or you are never sure if your device was "hacked" in some way prior to delivery.
The ledger application does check the firmware when plugging in. You won't be able to use your nano s if the firmware is non-genuine.
The only possibility of a malicious device would be differend hardware.
And ledger has published a guide to check whether an additional chip (or modification) has been built in [1].
This requires opening the case (which does lead to a loss of warranty) since your device can break if you are not being careful.
But the possiblity to check your hardware wallet does exist (software- and hardware wise). Therefore you can definitely make sure you received a non-malicious genuine device.
[1]
https://support.ledgerwallet.com/hc/en-us/articles/115005321449-How-to-verify-the-security-integrity-of-my-Nano-S-