The emerging Intelligent Transportation Systems (ITS) and the proliferation of Connected Vehicles (CVs) are widely expected to greatly improve road safety, traffic efficiency, and driving comfort. At the same time, the vehicle-to-infrastructure (V2I) and vehicle-to-vehicle (V2V) communications that ITS and CVs rely on also introduce new security challenges. Sybil attack is one of the most serious security threats to CV-based ITS, in which a Sybil attacker creates and operates multiple fake CVs from a single physical CV to inject and disseminate false information to mislead the ITS into making suboptimal decisions, e.g., causing fake traffic jams. This paper proposes a novel physical measurement-based method to detect Sybil attacks and identify Sybil CVs. We observe that it is impossible for a single malicious physical CV to be presented at multiple claimed positions at the same time. Second, the Angle of Arrival (AoA) measurement depends on the physical locations of the transmitter and the receiver, which is difficult to forge in practice. Based on these observations, our scheme takes advantage of the inconsistency between their claimed positions and measured AoAs for Sybil attack detection. Detailed simulation studies using both synthetic and real vehicular mobility traces confirm that the proposed scheme can detect Sybil attacks and differentiate Sybil CVs from legitimate CVs with high accuracy.