An attacker can still use the hardware wallet to transfer money as long as it's plugged in. To prevent this you need external hardware with a display and external input (that cannot be reflashed through usb (!)).
Wrong. The hardware wallet requires physical access to sign transactions with the private key (you have to press the button to acknowledge the transaction).
Peer comment has hit the nail on the head: what you're describing is the functionality provided by hardware wallets -- external physical input/display.