Recently we looked at a few ethernet-to-cellular and serial-to-cellular gateways for security issues by scavenging and analyzing firmwares from a few common vendors. These are devices that are targeted towards Industrial users (and, ironically, ATMs are also in the target demographic).
A popular trend with these devices is the usual ‘management backdoor’: management services are bound to all interfaces (including the cellular interface), and a special password will give anyone access. Most often the backdoor password is based on device serial number or even Ethernet MAC address, either taking a part of that address or performing a simple hashing operation against it. Ironically these mechanisms can be uncovered by consulting sales images on eBay, which provide many images of all three numbers (serial, MAC, and default password).
Very frequently gateways are deployed with SNMP enabled, and the device serial number and MAC address can be retrieved remotely. End users are unlikely to completely secure their devices, and change only the known administration password, leaving the remainder of settings as they are.
Many devices can be found on Shodan, and quite a large subset of those have common industrial/build management protocol ports like 44818, 502, 47808, and 20000 forwarded to an industrial field device.